Use calloc and reallocarray and add malloc overflow checks

Use calloc in preference to calculating a malloc size with
multiplication everywhere, and reallocarray in preference to
calculating a realloc size.  In most places this caution was probably
not necessary, but uniformity is easier to audit and no one will ever
notice the speed difference between malloc and calloc.  Add explicit
overflow checks before every remaining malloc call with a calculated
size.

Change-Id: Ifc8e577b32d45751b9d64955aa1cace8a5dedde0
Reviewed-on: https://gerrit.stanford.edu/1491
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

2 files changed, 7 insertions, 2 deletions

diff --git a/client/api.c b/client/api.c
index 6eacb64..e3dfe3d 100644
--- a/client/api.c
+++ b/client/api.c
@@ -541,7 +541,7 @@ remctl_command(struct remctl *r, const char **command)
         internal_set_error(r, "cannot send empty command");
         return 0;
     }
-    vector = malloc(sizeof(struct iovec) * count);
+    vector = calloc(count, sizeof(struct iovec));
     if (vector == NULL) {
         internal_set_error(r, "cannot allocate memory: %s", strerror(errno));
         return 0;
diff --git a/client/client-v1.c b/client/client-v1.c
index ec710fb..2c4446f 100644
--- a/client/client-v1.c
+++ b/client/client-v1.c
@@ -45,8 +45,13 @@ internal_v1_commandv(struct remctl *r, const struct iovec *command,
 
     /* Allocate room for the total message: argc, {<length><arg>}+. */
     token.length = 4;
-    for (i = 0; i < count; i++)
+    for (i = 0; i < count; i++) {
+        if (token.length >= SIZE_MAX - 4 - command[i].iov_len) {
+            internal_set_error(r, "memory allocation too large");
+            return false;
+        }
         token.length += 4 + command[i].iov_len;
+    }
     token.value = malloc(token.length);
     if (token.value == NULL) {
         internal_set_error(r, "cannot allocate memory: %s", strerror(errno));