Comments (12)
Checking the freed pointer value is not a use-after-free. The pointer would have to be dereferenced first, and it is not here.
from openbsd.
By this logic, What would you say is the set of possible outputs of the following program?
#include <stdio.h>
#include <stdlib.h>
int main(void) {
int *p = (int*)malloc(sizeof(int));
int *q = (int*)realloc(p, sizeof(int));
*p = 1;
*q = 2;
if (p == q) printf("%d %d\n", *p, *q);
}
It seems to me that if “checking [a] freed pointer value is not a use-after-free”, then a program that contains the line if (p == q) printf("%d %d\n", *p, *q);
should only every print two identical values.
The above program, when compiled with Clang, prints “1 2”.
A dangling pointer is indeterminate. Using indeterminate memory for anything is undefined behavior. The above program invokes undefined behavior. It can do anything.
SSL_free
and SSL_set_bio
invoke undefined behavior for exactly the same reason as the above example. They can do anything for exactly the same reason.
See also: A dangling pointer is indeterminate. I co-wrote that post, I am not claiming that it is a second opinion, I am claiming that it contains examples that you can reproduce with your own version of GCC and/or Clang, the version that thousands of people will use to compile LibreSSL, and if the code compares dangling pointers, these compilers do not have enough respect for it to generate a binary that follows the rules of logic.
from openbsd.
man 3 realloc please...
from openbsd.
It has been pointed out to me that the following modified example makes a stronger point (modification by Jesse Ruderman).
int main() {
int *p = (int*)malloc(sizeof(int));
if (p == NULL) { return 3; }
int *q = (int*)realloc(p, sizeof(int));
if (q == NULL) { return 3; }
*q = 2;
if (p == q) {
*p = 1;
printf(“%d %d\n”, *p, *q);
}
}
clang -Weverything -O r.c && ./a.out
1 2
from openbsd.
@bob-beck I don't know which man page you are referring to, but since LibreSSL aims to sane POSIX platforms, perhaps we can use the C99 standard instead?
J.2 Undefined behavior
…
— The value of a pointer that refers to space deallocated by a call to the free or realloc function is used (7.20.3).
from openbsd.
"is used to access an object" is the key bit of that phrase. That isn't what's going on in your original code example.
from openbsd.
I temporarily copy-pasted the wrong line, sorry about that (too many references to realloc
in J.2). “is used” is the key bit of the updated quote.
from openbsd.
brent I'm not convinced this isn't an issue.. I'm re-opening until we decide for certain
from openbsd.
At a minimum it's ugly as heck and should be redone more sanely. but this is an area to tread cautiously in.
from openbsd.
OK, now that you actually explained the issue, it makes more sense. Agreed it's certainly ugly regardless of whether it's correct.
from openbsd.
On Thu, Oct 15, 2015 at 04:26:37PM -0700, Brent Cook wrote:
OK, now that you actually explained the issue, it makes more sense. Agreed it's certainly ugly regardless of whether it's correct.
I have diffs mailed for it.
Reply to this email directly or view it on GitHub:
#54 (comment)
from openbsd.
Fix commited - thanks
from openbsd.
Related Issues (20)
- Is libressl compatible with Linux? HOT 2
- curl-7.73.0 w/ libressl-3.2.2 leaks memory HOT 11
- tls_keypair_load_cert() fail but return no error HOT 2
- SSL_CTX_{g,s}et_security_level HOT 3
- Any possibility of creating a ruby gem for this project? HOT 1
- Inconsistent cert verification errors returned between TLS 1.2 and 1.3 HOT 6
- License information not available HOT 1
- one bug
- stack-buffer-overflow in function x509_constraints_parse_mailbox HOT 2
- TLS 1.3 decrypting support
- SIGSEGV occurred in EVP_MD_CTX_cleanup() immediately after malloc() returned NULL in pkey_hmac_init(). HOT 3
- Missing DSA_meth_set1_name HOT 2
- URI Checks are too strict in subject alt name HOT 2
- netcat may read from invalid file descriptors
- libtls: make the TLS_EOF_NO_CLOSE_NOTIFY bit user-visible
- stack-buffer-overflow(max 5byte) in print_bin() when indent is specified as 124 or more
- SIGSEGV occurs if memory allocation fails in ssl3_setup_init_buffer() called by tls13_use_legacy_stack() when downgrading from TLS1.3. HOT 4
- SSL_get{_peer,}_signature_type_nid implemented but not exported HOT 1
- Compat: Ability to compile without IPv6 support HOT 2
- EVP_get_cipherbynid/EVP_get_digestbynid when given an invalid ID/EVP_get_digestbyname segfaults with NULL argument HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openbsd.