Merge branch '3201-no-vla' into 'main'

Avoid using C99 variable length arrays

Closes #3201

See merge request isc-projects/bind9!5956

CHANGES

@@ -1,3 +1,6 @@
+5834.	[cleanup]	C99 variable-length arrays are difficult to use safely,
+			so avoid them except in test code. [GL #3201]
+
 5833.	[bug]		When encountering socket error while trying to initiate
 			a TCP connection to a server, dig could hang
 			indefinitely, when there were more servers to try.

Makefile.tests

@@ -7,6 +7,9 @@ TESTS = $(check_PROGRAMS)
 
 LOG_COMPILER = $(builddir)/../../unit-test-driver.sh
 
+AM_CFLAGS +=					\
+	$(TEST_CFLAGS)
+
 AM_CPPFLAGS +=					\
 	$(CMOCKA_CFLAGS)			\
 	-DNAMED_PLUGINDIR=\"$(libdir)/named\"	\

bin/tests/Makefile.am

@@ -7,6 +7,9 @@ noinst_PROGRAMS =	\
 	test_server	\
 	wire_test
 
+AM_CFLAGS +=			\
+	$(TEST_CFLAGS)
+
 test_client_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
 	$(LIBISC_CFLAGS)

configure.ac

@@ -117,7 +117,10 @@ AS_IF([test "$enable_static" != "no" && test "$enable_developer" != "yes"],
 STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow"
 
 # These should be always errors
-STD_CFLAGS="$STD_CFLAGS -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes"
+STD_CFLAGS="$STD_CFLAGS -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -Werror=vla"
+
+# ... except in test code
+TEST_CFLAGS="-Wno-vla"
 
 # Fortify the sources by default
 STD_CPPFLAGS="-D_FORTIFY_SOURCE=2"
@@ -159,6 +162,7 @@ AS_IF([test "$enable_developer" = "yes"],
 AC_SUBST([DEVELOPER_MODE])
 AC_SUBST([STD_CFLAGS])
 AC_SUBST([STD_CPPFLAGS])
+AC_SUBST([TEST_CFLAGS])
 
 # [pairwise: --enable-warn-error, --disable-warn-error]
 AC_ARG_ENABLE([warn_error],

doc/dev/style.md

@@ -683,9 +683,14 @@ Declare variables as constant if they are not to be modified.
 
 #### Variable-Length Arrays
 
-Use VLAs where it is more appropriate to allocate the memory on the stack rather
-than allocate it using `isc_mem_get()` from the heap.  Usually, a short lived
-arrays local to that particular functions would be good fit for using VLAs.
+VLAs are unsafe when it is important to handle allocation failure in a
+controlled manner rather than an uncontrolled crash. They are safer if the
+array size is checked first, but then you lose a lot of their simplicity
+and readability.
+
+VLAs should not be used in most code in BIND. VLAs are OK in test code
+where the lack of safety doesn't matter. The default compiler flags enforce
+this rule.
 
 #### <a name="public_namespace"></a>Public Interface Namespace
 

fuzz/Makefile.am

@@ -1,5 +1,8 @@
 include $(top_srcdir)/Makefile.top
 
+AM_CFLAGS +=				\
+	$(TEST_CFLAGS)
+
 AM_CPPFLAGS +=				\
 	$(LIBISC_CFLAGS)		\
 	$(LIBDNS_CFLAGS)		\

lib/dns/gssapi_link.c

@@ -189,11 +189,10 @@ gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 static isc_result_t
 gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
-	isc_region_t message, r;
+	isc_region_t message;
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
 	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
-	unsigned char buf[sig->length];
 	char err[1024];
 
 	/*
@@ -202,11 +201,7 @@ gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	 */
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
-
-	memmove(buf, sig->base, sig->length);
-	r.base = buf;
-	r.length = sig->length;
-	REGION_TO_GBUFFER(r, gsig);
+	REGION_TO_GBUFFER(*sig, gsig);
 
 	/*
 	 * Verify the data.