On Tue, Apr 19, 2022 at 09:10:13AM -0600, Theo de Raadt wrote:
> - if ((buf->buf = malloc(len)) == NULL) {
> + if (len == 0)
> + buf->buf = NULL;
> + else if ((buf->buf = malloc(len)) == NULL) {
>
> This code intentionally permitted malloc(0), because with our mallo
- if ((buf->buf = malloc(len)) == NULL) {
+ if (len == 0)
+ buf->buf = NULL;
+ else if ((buf->buf = malloc(len)) == NULL) {
This code intentionally permitted malloc(0), because with our malloc/free
behaviour that will allocate a non-read/writeable object and a later
Hi,
supplying large sizes to ibuf functions can lead to integer overflows
which are not properly handled.
I have added regression tests as well, which make it easier to see
the effects and how to trigger these issues.
The ibuf_open adjustment for malloc(0) has been taken from imsg.c as
can be se
