diff options
| author | ray <> | 2006-03-26 19:56:08 +0000 |
|---|---|---|
| committer | ray <> | 2006-03-26 19:56:08 +0000 |
| commit | e9b518847b88ec21d7f09693543570b157debf5b (patch) | |
| tree | b4633b630328840de04ebcbb3ccfba8fb158cd6f /src/lib/libc | |
| parent | bb8d758ce8162eb6175ee6329cbc8d33d3515016 (diff) | |
| download | openbsd-e9b518847b88ec21d7f09693543570b157debf5b.tar.gz openbsd-e9b518847b88ec21d7f09693543570b157debf5b.tar.bz2 openbsd-e9b518847b88ec21d7f09693543570b157debf5b.zip | |
Add warning about malloc(num * size) and recommend calloc() instead,
or if malloc must be used suggest check.
Get rid of "one".
OK deraadt@ and jmc@, OK kjell@ to earlier version with "one"s.
Diffstat (limited to 'src/lib/libc')
| -rw-r--r-- | src/lib/libc/stdlib/malloc.3 | 45 |
1 files changed, 40 insertions, 5 deletions
diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3 index 3bb4ad8326..24e6b3bc53 100644 --- a/src/lib/libc/stdlib/malloc.3 +++ b/src/lib/libc/stdlib/malloc.3 | |||
| @@ -30,7 +30,7 @@ | |||
| 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 31 | .\" SUCH DAMAGE. | 31 | .\" SUCH DAMAGE. |
| 32 | .\" | 32 | .\" |
| 33 | .\" $OpenBSD: malloc.3,v 1.42 2006/01/18 06:36:05 jakemsr Exp $ | 33 | .\" $OpenBSD: malloc.3,v 1.43 2006/03/26 19:56:08 ray Exp $ |
| 34 | .\" | 34 | .\" |
| 35 | .Dd August 27, 1996 | 35 | .Dd August 27, 1996 |
| 36 | .Dt MALLOC 3 | 36 | .Dt MALLOC 3 |
| @@ -83,6 +83,29 @@ The minimum size of the protection on each object is suitably aligned and | |||
| 83 | sized as previously stated, but the protection may extend further depending | 83 | sized as previously stated, but the protection may extend further depending |
| 84 | on where in a protected zone the object lands. | 84 | on where in a protected zone the object lands. |
| 85 | .Pp | 85 | .Pp |
| 86 | When using | ||
| 87 | .Fn malloc | ||
| 88 | be careful to avoid the following idiom: | ||
| 89 | .Bd -literal -offset indent | ||
| 90 | if ((p = malloc(num * size)) == NULL) | ||
| 91 | err(1, "malloc"); | ||
| 92 | .Ed | ||
| 93 | .Pp | ||
| 94 | The multiplication may lead to an integer overflow. | ||
| 95 | To avoid this, | ||
| 96 | .Fn calloc | ||
| 97 | is recommended. | ||
| 98 | .Pp | ||
| 99 | If | ||
| 100 | .Fn malloc | ||
| 101 | must be used, be sure to test for overflow: | ||
| 102 | .Bd -literal -offset indent | ||
| 103 | if (num && size && SIZE_T_MAX / num < size) { | ||
| 104 | errno = ENOMEM; | ||
| 105 | err(1, "overflow"); | ||
| 106 | } | ||
| 107 | .Ed | ||
| 108 | .Pp | ||
| 86 | The | 109 | The |
| 87 | .Fn calloc | 110 | .Fn calloc |
| 88 | function allocates space for an array of | 111 | function allocates space for an array of |
| @@ -90,6 +113,10 @@ function allocates space for an array of | |||
| 90 | objects, each of whose size is | 113 | objects, each of whose size is |
| 91 | .Fa size . | 114 | .Fa size . |
| 92 | The space is initialized to all bits zero. | 115 | The space is initialized to all bits zero. |
| 116 | The use of | ||
| 117 | .Fn calloc | ||
| 118 | is strongly encouraged when allocating multiple sized objects | ||
| 119 | in order to avoid possible integer overflows. | ||
| 93 | .Pp | 120 | .Pp |
| 94 | The | 121 | The |
| 95 | .Fn free | 122 | .Fn free |
| @@ -140,7 +167,7 @@ object is returned. | |||
| 140 | .Pp | 167 | .Pp |
| 141 | When using | 168 | When using |
| 142 | .Fn realloc | 169 | .Fn realloc |
| 143 | one must be careful to avoid the following idiom: | 170 | be careful to avoid the following idiom: |
| 144 | .Bd -literal -offset indent | 171 | .Bd -literal -offset indent |
| 145 | size += 50; | 172 | size += 50; |
| 146 | if ((p = realloc(p, size)) == NULL) | 173 | if ((p = realloc(p, size)) == NULL) |
| @@ -148,7 +175,7 @@ if ((p = realloc(p, size)) == NULL) | |||
| 148 | .Ed | 175 | .Ed |
| 149 | .Pp | 176 | .Pp |
| 150 | Do not adjust the variable describing how much memory has been allocated | 177 | Do not adjust the variable describing how much memory has been allocated |
| 151 | until one knows the allocation has been successful. | 178 | until the allocation has been successful. |
| 152 | This can cause aberrant program behavior if the incorrect size value is used. | 179 | This can cause aberrant program behavior if the incorrect size value is used. |
| 153 | In most cases, the above sample will also result in a leak of memory. | 180 | In most cases, the above sample will also result in a leak of memory. |
| 154 | As stated earlier, a return value of | 181 | As stated earlier, a return value of |
| @@ -167,6 +194,15 @@ p = newp; | |||
| 167 | size = newsize; | 194 | size = newsize; |
| 168 | .Ed | 195 | .Ed |
| 169 | .Pp | 196 | .Pp |
| 197 | As with | ||
| 198 | .Fn malloc | ||
| 199 | it is important to ensure the new size value will not overflow; | ||
| 200 | i.e. avoid allocations like the following: | ||
| 201 | .Bd -literal -offset indent | ||
| 202 | if ((newp = realloc(p, num * size)) == NULL) { | ||
| 203 | ... | ||
| 204 | .Ed | ||
| 205 | .Pp | ||
| 170 | Malloc will first look for a symbolic link called | 206 | Malloc will first look for a symbolic link called |
| 171 | .Pa /etc/malloc.conf | 207 | .Pa /etc/malloc.conf |
| 172 | and next check the environment for a variable called | 208 | and next check the environment for a variable called |
| @@ -255,8 +291,7 @@ Reduce the size of the cache by a factor of two. | |||
| 255 | Double the size of the cache by a factor of two. | 291 | Double the size of the cache by a factor of two. |
| 256 | .El | 292 | .El |
| 257 | .Pp | 293 | .Pp |
| 258 | So to set a systemwide reduction of cache size and coredumps on problems | 294 | So to set a systemwide reduction of cache size and coredumps on problems: |
| 259 | one would: | ||
| 260 | .Li ln -s 'A<' /etc/malloc.conf | 295 | .Li ln -s 'A<' /etc/malloc.conf |
| 261 | .Pp | 296 | .Pp |
| 262 | The | 297 | The |