math: p_median: Fix for stack overflow weakness. #170
Conversation
The use of variable length arrays (VLA) without any size range checking is a security weakness that can be used to provoke a stack overflow that may lead to an arbitrary code execution vu$ My proposed fix simply uses dynamic memory allocation over VLA. For more information regarding proper use of VLA, please read: https://www.securecoding.cert.org/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range Signed-off-by: Giancarlo Canales Barreto <gcanalesb@me.com>
|
This problem would also limit the number of elements in the vector to about For instance, This problem isn't much about trusting the programmer, and more about trusting the source of the data that you want to compute the median of. |
|
@ebadi is right in that |
|
According to QUESTIONS, these situations should be delt as GIGO. PAL should not protect anyone against themselves. However, VLAs are C99 and are not supported by all compiler (Microsoft, notably). I think using |
|
@lchamon 👍 |
|
Security is not a first order concern at this low level library. Assumption is that it will be handled at a higher level. Also, as @ichamon stated there are bound to be portability issues across tools/archs if this is baked into this library. |
|
@aolofsson: The current implementation uses VLAs. This PR corrects that (I think I expressed myself very poorly in my comment!). Also, it might be a good idea to fix the |
The use of variable length arrays (VLA) without any size range checking is a security weakness that can be used to provoke a stack overflow that may lead to arbitrary code execution.
My proposed fix simply uses dynamic memory allocation over VLA.
For more information regarding proper use of VLA, please read:
https://www.securecoding.cert.org/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range
Signed-off-by: Giancarlo Canales Barreto gcanalesb@me.com