mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-26 03:11:56 -05:00
599c1d2a6b
From an attacker's point of view, a VLA declaration is essentially a
primitive for performing arbitrary arithmetic on the stack pointer. If
the attacker can control the size of a VLA they have a very powerful
tool for causing memory corruption.
To mitigate this kind of attack, and the more general class of stack
clash vulnerabilities, C compilers insert extra code when allocating a
VLA to probe the growing stack one page at a time. If these probes hit
the stack guard page, the program will crash.
From the point of view of a C programmer, there are a few things to
consider about VLAs:
* If it is important to handle allocation failures in a controlled
manner, don't use VLAs. You can use VLAs if it is OK for
unreasonable inputs to cause an uncontrolled crash.
* If the VLA is known to be smaller than some known fixed size,
use a fixed size array and a run-time check to ensure it is large
enough. This will be more efficient than the compiler's stack
probes that need to cope with arbitrary-size VLAs.
* If the VLA might be large, allocate it on the heap. The heap
allocator can allocate multiple pages in one shot, whereas the
stack clash probes work one page at a time.
Most of the existing uses of VLAs in BIND are in test code where they
are benign, but there was one instance in `named`, in the GSS-TSIG
verification code, which has now been removed.
This commit adjusts the style guide and the C compiler flags to allow
VLAs in test code but not elsewhere.
|
||
|---|---|---|
| .. | ||
| dns_master_load.in | ||
| dns_message_parse.in | ||
| dns_name_fromtext_target.in | ||
| dns_rdata_fromtext.in | ||
| dns_rdata_fromwire_text.in | ||
| isc_lex_getmastertoken.in | ||
| isc_lex_gettoken.in | ||
| .gitignore | ||
| afl.sh | ||
| dns_master_load.c | ||
| dns_message_parse.c | ||
| dns_name_fromtext_target.c | ||
| dns_rdata_fromtext.c | ||
| dns_rdata_fromwire_text.c | ||
| fuzz.h | ||
| FUZZING.md | ||
| isc_lex_getmastertoken.c | ||
| isc_lex_gettoken.c | ||
| libfuzzer.sh | ||
| main.c | ||
| Makefile.am | ||