Use calloc and reallocarray and add malloc overflow checks

Use calloc in preference to calculating a malloc size with
multiplication everywhere, and reallocarray in preference to
calculating a realloc size.  In most places this caution was probably
not necessary, but uniformity is easier to audit and no one will ever
notice the speed difference between malloc and calloc.  Add explicit
overflow checks before every remaining malloc call with a calculated
size.

Change-Id: Ifc8e577b32d45751b9d64955aa1cace8a5dedde0
Reviewed-on: https://gerrit.stanford.edu/1491
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

1 files changed, 5 insertions, 1 deletions

diff --git a/util/tokens.c b/util/tokens.c
index e069436..5db0464 100644
--- a/util/tokens.c
+++ b/util/tokens.c
@@ -7,7 +7,7 @@
  *
  * Originally written by Anton Ushakov
  * Extensive modifications by Russ Allbery <eagle@eyrie.org>
- * Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012
+ * Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012, 2014
  *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
@@ -61,6 +61,10 @@ token_send(socket_type fd, int flags, gss_buffer_t tok, time_t timeout)
     OM_uint32 len = htonl(tok->length);
 
     /* Send out the whole message in a single write. */
+    if (tok->length > SIZE_MAX - 1 - sizeof(OM_uint32)) {
+        errno = ENOMEM;
+        return TOKEN_FAIL_SYSTEM;
+    }
     buflen = 1 + sizeof(OM_uint32) + tok->length;
     buffer = malloc(buflen);
     if (buffer == NULL)