openssl/include/internal/mem_alloc_utils.h

/*
 * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * Utility overflow checking and reporting functions
 */

#ifndef OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H
# define OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H

# include <limits.h>
# include <stdbool.h>
# include <stdint.h>

# include "internal/common.h"
# include "internal/safe_math.h"

# include <openssl/cryptoerr.h>
# include <openssl/err.h>

OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)

/*
 * A helper routine to report memory allocation errors.
 * Similar to the ERR_raise() macro, but accepts explicit file/line arguments,
 * pre-defines the library to ERR_LIB_CRYPTO, and avoids emitting an error
 * if both file set to NULL and line set to 0.
 */
static ossl_inline ossl_unused void
ossl_report_alloc_err_ex(const char * const file, const int line,
                         const int reason)
{
    /*
     * ossl_err_get_state_int() in err.c uses CRYPTO_zalloc(num, NULL, 0) for
     * ERR_STATE allocation. Prevent mem alloc error loop while reporting error.
     */
    if (file != NULL || line != 0) {
        ERR_new();
        ERR_set_debug(file, line, NULL);
        ERR_set_error(ERR_LIB_CRYPTO, reason, NULL);
    }
}

/* Report a memory allocation failure. */
static ossl_inline ossl_unused void
ossl_report_alloc_err(const char * const file, const int line)
{
    ossl_report_alloc_err_ex(file, line, ERR_R_MALLOC_FAILURE);
}

/* Report an integer overflow during allocation size calculation. */
static ossl_inline ossl_unused void
ossl_report_alloc_err_of(const char * const file, const int line)
{
    ossl_report_alloc_err_ex(file, line, CRYPTO_R_INTEGER_OVERFLOW);
}

/* Report invalid memory allocation call arguments. */
static ossl_inline ossl_unused void
ossl_report_alloc_err_inv(const char * const file, const int line)
{
    ossl_report_alloc_err_ex(file, line, ERR_R_PASSED_INVALID_ARGUMENT);
}

/*
 * Check the result of num and size multiplication for overflow
 * and set error if it is the case;  return true if there was no overflow,
 * false if there was.
 */
static ossl_inline ossl_unused bool
ossl_size_mul(const size_t num, const size_t size, size_t *bytes,
              const char * const file, const int line)
{
    int err = 0;
    *bytes = safe_mul_size_t(num, size, &err);

    if (ossl_unlikely(err != 0)) {
        ossl_report_alloc_err_of(file, line);

        return false;
    }

    return true;
}

/*
 * Check the result of size1 and size2 addition for overflow
 * and set error if it is the case.
 */
static ossl_inline ossl_unused bool
ossl_size_add_of(const size_t size1, const size_t size2, size_t *bytes,
                 const char * const file, const int line)
{
    *bytes = size1 + size2;

    if (ossl_unlikely(*bytes < size1)) {
        ossl_report_alloc_err_of(file, line);

        return true;
    }

    return false;
}

#endif /* OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H */
crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00			`/*`
			`* Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.`
			`*`
			`* Licensed under the Apache License 2.0 (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
			`*/`

			`/*`
			`* Utility overflow checking and reporting functions`
			`*/`

			`#ifndef OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H`
			`# define OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H`

Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`# include <limits.h>`
			`# include <stdbool.h>`
			`# include <stdint.h>`

crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00			`# include "internal/common.h"`
Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`# include "internal/safe_math.h"`
crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00
			`# include <openssl/cryptoerr.h>`
			`# include <openssl/err.h>`

Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)`

crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00			`/*`
			`* A helper routine to report memory allocation errors.`
			`* Similar to the ERR_raise() macro, but accepts explicit file/line arguments,`
			`* pre-defines the library to ERR_LIB_CRYPTO, and avoids emitting an error`
			`* if both file set to NULL and line set to 0.`
			`*/`
			`static ossl_inline ossl_unused void`
			`ossl_report_alloc_err_ex(const char * const file, const int line,`
			`const int reason)`
			`{`
			`/*`
			`* ossl_err_get_state_int() in err.c uses CRYPTO_zalloc(num, NULL, 0) for`
			`* ERR_STATE allocation. Prevent mem alloc error loop while reporting error.`
			`*/`
			`if (file != NULL \|\| line != 0) {`
			`ERR_new();`
			`ERR_set_debug(file, line, NULL);`
			`ERR_set_error(ERR_LIB_CRYPTO, reason, NULL);`
			`}`
			`}`

			`/* Report a memory allocation failure. */`
Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`static ossl_inline ossl_unused void`
crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00			`ossl_report_alloc_err(const char * const file, const int line)`
			`{`
			`ossl_report_alloc_err_ex(file, line, ERR_R_MALLOC_FAILURE);`
			`}`

Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`/* Report an integer overflow during allocation size calculation. */`
			`static ossl_inline ossl_unused void`
			`ossl_report_alloc_err_of(const char * const file, const int line)`
			`{`
			`ossl_report_alloc_err_ex(file, line, CRYPTO_R_INTEGER_OVERFLOW);`
			`}`

crypto/mem.c: check the alignment for being a power of 2 in CRYPTO_aligned_alloc Otherwise the roundup calculation performed in the open-coded implementation may put the pointer out of bounds. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-31 20:27:22 +08:00			`/* Report invalid memory allocation call arguments. */`
			`static ossl_inline ossl_unused void`
			`ossl_report_alloc_err_inv(const char * const file, const int line)`
			`{`
			`ossl_report_alloc_err_ex(file, line, ERR_R_PASSED_INVALID_ARGUMENT);`
			`}`

Add array memory allocation routines Such routines allow alleviating the need to perform explicit integer overflow check during allocation size calculation and generally make the allocations more semantic (as they signify that a collection of NUM items, each occupying SIZE bytes is being allocated), which paves the road for additional correctness checks in the future. Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:32:02 +08:00			`/*`
			`* Check the result of num and size multiplication for overflow`
			`* and set error if it is the case; return true if there was no overflow,`
			`* false if there was.`
			`*/`
			`static ossl_inline ossl_unused bool`
			`ossl_size_mul(const size_t num, const size_t size, size_t *bytes,`
			`const char * const file, const int line)`
			`{`
			`int err = 0;`
			`*bytes = safe_mul_size_t(num, size, &err);`

			`if (ossl_unlikely(err != 0)) {`
			`ossl_report_alloc_err_of(file, line);`

			`return false;`
			`}`

			`return true;`
			`}`

crypto/params_dup.c: add overflow check to ossl_param_buf_alloc Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 21:10:25 +08:00			`/*`
			`* Check the result of size1 and size2 addition for overflow`
			`* and set error if it is the case.`
			`*/`
			`static ossl_inline ossl_unused bool`
			`ossl_size_add_of(const size_t size1, const size_t size2, size_t *bytes,`
			`const char * const file, const int line)`
			`{`
			`*bytes = size1 + size2;`

			`if (ossl_unlikely(*bytes < size1)) {`
			`ossl_report_alloc_err_of(file, line);`

			`return true;`
			`}`

			`return false;`
			`}`

crypto/mem.c: factor out memory allocation failure reporting Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059) 2025-07-17 09:29:35 +08:00			`#endif /* OSSL_INTERNAL_CHECK_SIZE_OVERFLOW_H */`