On 09/02/2014 11:22 PM, James Nelson wrote:
This is error-prone because even though a size parameter is given, the code
in the function has no requirement to enforce it. With a bounded array
type, the prototype looks like this:
buf *foo(char buf[sz], size_t sz);
GCC already has a syntax extension to support this:
<https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html>
The compiler now knows how large `buf` is, and it can put bounds checks
into the code (which may be disabled with -O3).
We tried this, but it is hard to find information about it, see “Bounded
Pointers”.
Nowdays, there is -fsanitize=object-size, but I don't know if it uses
VLA lengths: <https://gcc.gnu.org/ml/gcc-patches/2014-07/msg00923.html>
Historically, propagation of object sizes from malloc and VLAs to
__builtin_object_size was rather incomplete.
--
Florian Weimer / Red Hat Product Security