malloc zero length buffer

Jouni Malinen jkmaline at cc.hut.fi
Fri Jul 21 23:53:11 EDT 2006


On Thu, Jul 20, 2006 at 09:22:03AM -0700, Andrew wrote:

> I am trying to use wpa_supplication on a MIPS embedded system, but I
> found a strange problem with function eap_tls_data_reassemble(). 
> 
> When the authentication starts, the in_len is 0. 
> The statement - "data->tls_in = malloc(in_len);" in this function behave
> differently when it on a linux box and when it is the target. On linux,
> the malloc return a non-null pointer, but on my target, it return a null
> pointer. On the target, null pointer causes the authentication failure
> right away.

There are malloc() implementations that return NULL for zero length
allocations..

> So I am fixing the problem as follows, but I don't know it is a proper
> way to fix it. Any line starts with "=>" is what I added.

Thanks for reporting this.

> =>                if ((data->tls_in_left == 0)&& (in_len == 0)
> &&(data->tls_in == 0))
> =>                {
> =>                     // work around
> =>                     wpa_printf(MSG_DEBUG, "data->tls_in malloc work
> around \n");
> =>                     data->tls_in = & data->tls_in_left; 

This is not acceptable. data->tls_in need to be non-zero, but pointing
it to tls_in_left (integer) is not very good idea.

> 		     data->tls_in = malloc(in_len);

I changed this to malloc(in_len ? in_len : 1) in order to avoid
malloc(0) call that could return NULL with some C libraries. Similar
construction is used elsewhere in wpa_supplicant to avoid this exact
same issue.
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list