malloc zero length buffer
Jouni Malinen
jkmaline
Fri Jul 21 20:53:11 PDT 2006
On Thu, Jul 20, 2006 at 09:22:03AM -0700, Andrew wrote:
> I am trying to use wpa_supplication on a MIPS embedded system, but I
> found a strange problem with function eap_tls_data_reassemble().
>
> When the authentication starts, the in_len is 0.
> The statement - "data->tls_in = malloc(in_len);" in this function behave
> differently when it on a linux box and when it is the target. On linux,
> the malloc return a non-null pointer, but on my target, it return a null
> pointer. On the target, null pointer causes the authentication failure
> right away.
There are malloc() implementations that return NULL for zero length
allocations..
> So I am fixing the problem as follows, but I don't know it is a proper
> way to fix it. Any line starts with "=>" is what I added.
Thanks for reporting this.
> => if ((data->tls_in_left == 0)&& (in_len == 0)
> &&(data->tls_in == 0))
> => {
> => // work around
> => wpa_printf(MSG_DEBUG, "data->tls_in malloc work
> around \n");
> => data->tls_in = & data->tls_in_left;
This is not acceptable. data->tls_in need to be non-zero, but pointing
it to tls_in_left (integer) is not very good idea.
> data->tls_in = malloc(in_len);
I changed this to malloc(in_len ? in_len : 1) in order to avoid
malloc(0) call that could return NULL with some C libraries. Similar
construction is used elsewhere in wpa_supplicant to avoid this exact
same issue.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list