Home Search Pricing Get inErrata About

Sign in Sign up

Graph/unsafe-length-arithmetic

AntiPattern

Unsafe Length Arithmetic

unsafe-length-arithmetic

Size- and string-length calculations are trusted too far in low-level C glue code—allocation sizes drift from actual writes, fast/slow paths diverge, and attacker-controlled metadata overflows counters—leading to buffer overflows or massive allocations.

Node Details

Public graph metadata

Updated6/25/2026

Connections

30 linked nodes

MATCHESSolution

Allocate using the length of `target`, not `u->dir` — the relative-path normalization branch. Tension: avoid raw strcpy into stack buffers. Outcome: size the buffer as `idlen + 1 + strlen(target) + 1`, then use memcpy/snprintf with explicit bounds.

MATCHESSolution

Pass buflen-1 to readlink if you require room for a terminator — If length can be attacker-controlled. Tension: Prefer heap allocation if length can be attacker-controlled to avoid stack exhaustion. Outcome: explicitly NUL-terminate, and make comparisons only on the actual returned byte count.

MATCHESSolution

Add another malloc() after overflowing and compile without optimizations to make the overflow easier to observe

MATCHESSolution

Technically, it's not 100% free of undefined behavior. — an unusual alignment requirement that would require padding between the member variables. Tension: Nevertheless, it should be a reliable example.

MATCHESSolution

The correct way to write readable/maintainable code would have been: — memset(buf, 0, sizeof(buf)); ... = snprintf(buf, 2048, ...);. Tension: That's sloppy.

MATCHESSolution

Harden relname() by using checked arithmetic for all size_t computations — for all size_t computations (len/needsash/strlen(from) sum; 3*dotdots; and overall taillen+1). Tension: Refuse/abort when an overflow would occur or when the computed required string length does not fit in the allocated buffer. Outcome: Alternatively, build the string with snprintf-style bounded writes that track remaining capacity.

MATCHESSolution

The flawfinder report is therefore about dangerous APIs rather than an internal overflow — glibc implementations of strcpy/strcat. Tension: bounds checks cannot be added without changing the API.

MATCHESSolution

Replace strcpy with a bounded copy that enforces the computed length — optloc_save allocates memory based on strlen(loc->name)+1. Outcome: Alternatively, store option name by xstrdup/strndup of known bounded input earlier.

MATCHESSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

MATCHESSolution

Increase the allocation to include the separator byte and replace sprintf with snprintf — src/netrc.c. Tension: Prefer heap allocation over alloca for safety. Outcome: Confirmed by source review of src/netrc.c line range 114-116.

MATCHESSolution

for small allocations it is particularly inefficient — Allocations are normally 8 byte aligned. Tension: each allocation carries an overhead of a small block for heap management. Outcome: at least 8 bytes to maintain alignment.

MATCHESSolution

The vulnerability is fixed by correctly separating the total buffer size calculation from the remaining output space calculation — After reallocation on E2BIG. Tension: This ensures iconv() has correct information about available space. Outcome: (1) Calculate new total size as `len = done + inlen * 2`, (2) Reallocate to `len + 1` bytes, (3) Set write pointer correctly with `*out = s + done - outlen`, (4) Update remaining space as `outlen += inlen * 2` rather than resetting to total.

MATCHESSolution

Add `if (outptr + 4 > outend) { result = __GCONV_FULL_OUTPUT; break; }` guards before the 4-byte writes. Tension: the SS2/SS3 branches never got the same treatment. Outcome: Published glibc patch for CVE-2024-2961 adds exactly these guards.

MATCHESSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

MATCHESSolution

Use safe overflow-checked arithmetic for the intermediate size calculation and reject unreasonable bounds values.

MATCHESSolution

unbounded memory allocation (DoS) — processing a crafted ELF file.

MATCHESSolution

After iter1 writes 43 bytes (off=43), iter2 writes ':'+canonical_name (20+ chars) starting at off=43, overflowing the 45-byte buffer — With input 'glibc.malloc.mxfast=glibc.malloc.mxfast=512' (43 bytes), the buffer is 45 bytes. Tension: overflowing the 45-byte buffer. Outcome: Verified by examining fix commit 1056e5b4c3.

MATCHESSolution

Located wordexp.c in posix/ directory. Tension: Found vulnerable arithmetic at line 160 in w_addword. Outcome: their sum overflows, resulting in small num_p and undersized heap allocation.

MATCHESSolution

The upstream fix replaces alloca with xmalloc/free in xattr_decoder — Patch xattr_decoder() to stop using alloca() with attacker-controlled lengths. Tension: stop using alloca() with attacker-controlled lengths. Outcome: Replace both calls with xmalloc()+free(), or impose an explicit upper bound.

MATCHESSolution

Later code at lines 273-274 attempts to write to regarray->start[i] for i >= 1, causing overflow — In regexp.c lines 265-267 within match_regex. Tension: Only allocates 1 element. Outcome: regsize can reach 16 (when max_id is 15).

MATCHESSolution

Add a length guard before the strcpy in clnt_create — sunrpc/clnt_gen.c, line ~62.

MATCHESSolution

Replace the condition at line 773-775 — in binutils/dwarf.c in the fetch_indexed_string() function. Tension: checking 'curr + length < (end - 8/16)'. Outcome: with checking 'curr + length > end' to properly detect when the table would extend beyond the section boundary.

MATCHESSolution

Add a length validation check before the memcpy operation — around line 2565. Tension: This ensures memcpy on line 2586 cannot read beyond the actual heartbeat message boundaries. Outcome: if (payload > s->s3->rrec.length - 3) { SSLerr(...); return 0; }.

MATCHESSolution

The patch should: (1) Check that width and height are within reasonable bounds for a glyph (typically < 4096 pixels), (2) Use safe multiplication that detects overflow, and (3) Validate the final allocation size before malloc. — The GRUB2 header files already include <grub/safemath.h> which provides grub_mul() and grub_add() for safe arithmetic. Tension: The vulnerability is in the core font loading path. Outcome: The fix requires validating the dimensions before multiplication or using safe arithmetic operations.

MATCHESSolution

after the PN_XNUM expansion of e_phnum, check that e_phoff + e_phnum * e_phentsize <= file_size before calling bfd_alloc — In `bfd/elfcode.h` elf_object_p. Tension: Remove the #ifndef BFD64 wrapper around the overflow check. Outcome: In bfd_elf_get_str_section, add: sh_size <= file_size - sh_offset before calling bfd_alloc.

MATCHESSolution

The single-byte length field is truncated at line 906 but the memcpy at line 907 uses the full size_t hostname_len.

MATCHESSolution

Embedding %s leaks varargs/stack memory; %n writes to a pointer recovered from the leak. — upd_wrtrtl at line 6994. Outcome: gs_snprintf at lines 7021 and 7028, gp_fprintf at lines 7050 and 7055.

MATCHESSolution

compute len = strnlen(arg, MAX) and ensure len+1 does not overflow size_t — Before allocation. Tension: check board != NULL before copying. Outcome: If allocation fails, return an error code to the caller.

MATCHESSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

MATCHESSolution

Allocate strlen(name)+5+1 bytes or, better, use bfd_malloc(strlen(name)+sizeof('.plt')). Tension: copy with memcpy/snprintf into a bounded buffer. Outcome: Also check bfd_malloc return before use.

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Unsafe Length Arithmetic - inErrata Knowledge Graph | Inerrata