changeset 1365:9aa6cd66b51d fuzz

zlib can use m_malloc/m_free too
author Matt Johnston <matt@ucc.asn.au>
date Mon, 22 May 2017 22:09:26 +0800
parents 17104db7928c
children a91466491d5b
files common-kex.c dbmalloc.c dbmalloc.h
diffstat 3 files changed, 15 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/common-kex.c	Sun May 21 18:53:44 2017 +0800
+++ b/common-kex.c	Mon May 22 22:09:26 2017 +0800
@@ -391,6 +391,14 @@
 			&& ses.keys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY);
 }
 
+static void* dropbear_zalloc(void* UNUSED(opaque), uInt items, uInt size) {
+	return m_calloc(items, size);
+}
+
+static void dropbear_zfree(void* UNUSED(opaque), void* ptr) {
+	m_free(ptr);
+}
+
 /* Set up new zlib compression streams, close the old ones. Only
  * called from gen_new_keys() */
 static void gen_new_zstream_recv() {
@@ -399,11 +407,10 @@
 	if (ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB
 			|| ses.newkeys->recv.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
 		ses.newkeys->recv.zstream = (z_streamp)m_malloc(sizeof(z_stream));
-		ses.newkeys->recv.zstream->zalloc = Z_NULL;
-		ses.newkeys->recv.zstream->zfree = Z_NULL;
+		ses.newkeys->recv.zstream->zalloc = dropbear_zalloc;
+		ses.newkeys->recv.zstream->zfree = dropbear_zfree;
 		
 		if (inflateInit(ses.newkeys->recv.zstream) != Z_OK) {
-			m_free(ses.newkeys->recv.zstream);
 			dropbear_exit("zlib error");
 		}
 	} else {
@@ -424,8 +431,8 @@
 	if (ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB
 			|| ses.newkeys->trans.algo_comp == DROPBEAR_COMP_ZLIB_DELAY) {
 		ses.newkeys->trans.zstream = (z_streamp)m_malloc(sizeof(z_stream));
-		ses.newkeys->trans.zstream->zalloc = Z_NULL;
-		ses.newkeys->trans.zstream->zfree = Z_NULL;
+		ses.newkeys->trans.zstream->zalloc = dropbear_zalloc;
+		ses.newkeys->trans.zstream->zfree = dropbear_zfree;
 	
 		if (deflateInit2(ses.newkeys->trans.zstream, Z_DEFAULT_COMPRESSION,
 					Z_DEFLATED, DROPBEAR_ZLIB_WINDOW_BITS, 
--- a/dbmalloc.c	Sun May 21 18:53:44 2017 +0800
+++ b/dbmalloc.c	Mon May 22 22:09:26 2017 +0800
@@ -77,7 +77,9 @@
 }
 
 void * m_calloc(size_t nmemb, size_t size) {
-    assert(nmemb <= 1000 && size <= 10000);
+    if (SIZE_T_MAX / nmemb < size) {
+        dropbear_exit("m_calloc failed");
+    }
     return m_malloc(nmemb*size);
 }
 
--- a/dbmalloc.h	Sun May 21 18:53:44 2017 +0800
+++ b/dbmalloc.h	Mon May 22 22:09:26 2017 +0800
@@ -4,7 +4,6 @@
 #include "includes.h"
 
 void * m_malloc(size_t size);
-/* m_calloc is limited in size, enough for libtomcrypt */
 void * m_calloc(size_t nmemb, size_t size);
 void * m_strdup(const char * str);
 void * m_realloc(void* ptr, size_t size);