summaryrefslogtreecommitdiff
path: root/lib/libc
diff options
context:
space:
mode:
authorRay Lai <ray@cvs.openbsd.org>2006-03-26 19:56:09 +0000
committerRay Lai <ray@cvs.openbsd.org>2006-03-26 19:56:09 +0000
commit5c5408f5e540ac13c770b7bf563b6cd787f99ecd (patch)
tree762394a4ea5252a0f3bad07128a9b916926d1e14 /lib/libc
parenta79bf577623e4148999d8cd0ffbff3f24e362d05 (diff)
Add warning about malloc(num * size) and recommend calloc() instead,
or if malloc must be used suggest check. Get rid of "one". OK deraadt@ and jmc@, OK kjell@ to earlier version with "one"s.
Diffstat (limited to 'lib/libc')
-rw-r--r--lib/libc/stdlib/malloc.345
1 files changed, 40 insertions, 5 deletions
diff --git a/lib/libc/stdlib/malloc.3 b/lib/libc/stdlib/malloc.3
index 3bb4ad8326b..24e6b3bc53b 100644
--- a/lib/libc/stdlib/malloc.3
+++ b/lib/libc/stdlib/malloc.3
@@ -30,7 +30,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $OpenBSD: malloc.3,v 1.42 2006/01/18 06:36:05 jakemsr Exp $
+.\" $OpenBSD: malloc.3,v 1.43 2006/03/26 19:56:08 ray Exp $
.\"
.Dd August 27, 1996
.Dt MALLOC 3
@@ -83,6 +83,29 @@ The minimum size of the protection on each object is suitably aligned and
sized as previously stated, but the protection may extend further depending
on where in a protected zone the object lands.
.Pp
+When using
+.Fn malloc
+be careful to avoid the following idiom:
+.Bd -literal -offset indent
+if ((p = malloc(num * size)) == NULL)
+ err(1, "malloc");
+.Ed
+.Pp
+The multiplication may lead to an integer overflow.
+To avoid this,
+.Fn calloc
+is recommended.
+.Pp
+If
+.Fn malloc
+must be used, be sure to test for overflow:
+.Bd -literal -offset indent
+if (num && size && SIZE_T_MAX / num < size) {
+ errno = ENOMEM;
+ err(1, "overflow");
+}
+.Ed
+.Pp
The
.Fn calloc
function allocates space for an array of
@@ -90,6 +113,10 @@ function allocates space for an array of
objects, each of whose size is
.Fa size .
The space is initialized to all bits zero.
+The use of
+.Fn calloc
+is strongly encouraged when allocating multiple sized objects
+in order to avoid possible integer overflows.
.Pp
The
.Fn free
@@ -140,7 +167,7 @@ object is returned.
.Pp
When using
.Fn realloc
-one must be careful to avoid the following idiom:
+be careful to avoid the following idiom:
.Bd -literal -offset indent
size += 50;
if ((p = realloc(p, size)) == NULL)
@@ -148,7 +175,7 @@ if ((p = realloc(p, size)) == NULL)
.Ed
.Pp
Do not adjust the variable describing how much memory has been allocated
-until one knows the allocation has been successful.
+until the allocation has been successful.
This can cause aberrant program behavior if the incorrect size value is used.
In most cases, the above sample will also result in a leak of memory.
As stated earlier, a return value of
@@ -167,6 +194,15 @@ p = newp;
size = newsize;
.Ed
.Pp
+As with
+.Fn malloc
+it is important to ensure the new size value will not overflow;
+i.e. avoid allocations like the following:
+.Bd -literal -offset indent
+if ((newp = realloc(p, num * size)) == NULL) {
+ ...
+.Ed
+.Pp
Malloc will first look for a symbolic link called
.Pa /etc/malloc.conf
and next check the environment for a variable called
@@ -255,8 +291,7 @@ Reduce the size of the cache by a factor of two.
Double the size of the cache by a factor of two.
.El
.Pp
-So to set a systemwide reduction of cache size and coredumps on problems
-one would:
+So to set a systemwide reduction of cache size and coredumps on problems:
.Li ln -s 'A<' /etc/malloc.conf
.Pp
The