From 8e986316d9ad74f0837be34db4d120e596a331f0 Mon Sep 17 00:00:00 2001
From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Thu, 17 Jul 2008 20:10:18 +0000
Subject: Check for multiplication overflow on ALLOC_ARRAY* functions.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3068 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 buffer.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'buffer.c')

diff --git a/buffer.c b/buffer.c
index 08f0656..c71cd86 100644
--- a/buffer.c
+++ b/buffer.c
@@ -32,6 +32,16 @@
 
 #include "memdbg.h"
 
+size_t
+array_mult_safe (const size_t m1, const size_t m2)
+{
+  const unsigned long long limit = 0xFFFFFFFF;
+  unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2;
+  if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(res > limit))
+    msg (M_FATAL, "attemped allocation of excessively large array");
+  return (size_t) res;
+}
+
 struct buffer
 #ifdef DMALLOC
 alloc_buf_debug (size_t size, const char *file, int line)
-- 
cgit v1.2.3