[PATCH] crypt: Get rid of alloca usage in __md5_crypt

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] crypt: Get rid of alloca usage in __md5_crypt_r
@ 2023-09-15 14:12 Joe Simmons-Talbott
  0 siblings, 0 replies; only message in thread
From: Joe Simmons-Talbott @ 2023-09-15 14:12 UTC (permalink / raw)
  To: libc-alpha; +Cc: Joe Simmons-Talbott

Replace alloca usage with scratch_buffers to avoid potential stack
overflow.
---
 crypt/md5-crypt.c | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/crypt/md5-crypt.c b/crypt/md5-crypt.c
index 4e4760545a..891bfedf88 100644
--- a/crypt/md5-crypt.c
+++ b/crypt/md5-crypt.c
@@ -19,6 +19,7 @@
 
 #include <assert.h>
 #include <errno.h>
+#include <scratch_buffer.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/param.h>
@@ -99,7 +100,10 @@ __md5_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
   char *copied_key = NULL;
   char *copied_salt = NULL;
   char *free_key = NULL;
-  size_t alloca_used = 0;
+  struct scratch_buffer sbuf;
+  scratch_buffer_init (&sbuf);
+  struct scratch_buffer saltbuf;
+  scratch_buffer_init (&saltfuf);
 
   /* Find beginning of salt string.  The prefix should normally always
      be present.  Just in case it is not.  */
@@ -114,14 +118,11 @@ __md5_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
     {
       char *tmp;
 
-      if (__libc_use_alloca (alloca_used + key_len + __alignof__ (md5_uint32)))
-	tmp = (char *) alloca (key_len + __alignof__ (md5_uint32));
-      else
-	{
-	  free_key = tmp = (char *) malloc (key_len + __alignof__ (md5_uint32));
-	  if (tmp == NULL)
-	    return NULL;
-	}
+      if (!scratch_buffer_set_array_size (
+		&sbuf, 1, key_len + __alignof__ (md5_unint32))
+        return NULL;
+
+      tmp = sbuf.data;
 
       key = copied_key =
 	memcpy (tmp + __alignof__ (md5_uint32)
@@ -132,7 +133,15 @@ __md5_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
 
   if (((uintptr_t) salt) % __alignof__ (md5_uint32) != 0)
     {
-      char *tmp = (char *) alloca (salt_len + __alignof__ (md5_uint32));
+      if (!scratch_buffer_set_array_size (
+		&saltbuf, salt_len * __alignof__ (md5_uint32)))
+        {
+          scratch_buffer_free (&sbuf);
+          return NULL;
+	}
+
+      char *tmp = saltbuf.data;
+
       salt = copied_salt =
 	memcpy (tmp + __alignof__ (md5_uint32)
 		- ((uintptr_t) tmp) % __alignof__ (md5_uint32),
@@ -145,7 +154,8 @@ __md5_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
   NSSLOWInitContext *nss_ictx = NSSLOW_Init ();
   if (nss_ictx == NULL)
     {
-      free (free_key);
+      scratch_buffer_free (&sbuf);
+      scratch_buffer_free (&saltbuf);
       return NULL;
     }
   NSSLOWHASHContext *nss_ctx = NULL;
@@ -295,7 +305,8 @@ __md5_crypt_r (const char *key, const char *salt, char *buffer, int buflen)
   if (copied_salt != NULL)
     explicit_bzero (copied_salt, salt_len);
 
-  free (free_key);
+  scratch_buffer_free (&sbuf);
+  scratch_buffer_free (&saltbuf);
   return buffer;
 }
 
-- 
2.39.2


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-09-15 14:13 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-15 14:12 [PATCH] crypt: Get rid of alloca usage in __md5_crypt_r Joe Simmons-Talbott

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).