summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2006-03-26 14:22:47 +1100
committerDamien Miller <djm@mindrot.org>2006-03-26 14:22:47 +1100
commit36812092ecb11a25ca9d6d87fdeaf53e371c5043 (patch)
tree257ccc18998146f7f6e6c25cbb0ff9bd6de946a5
parent07d86bec5eeaf19fe33dca99c8ebcbe9a77c3938 (diff)
- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] [uidswap.c] change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to xrealloc(p, new_nmemb, new_itemsize). realloc is particularly prone to integer overflows because it is almost always allocating "n * size" bytes, so this is a far safer API; ok deraadt@
Diffstat
-rw-r--r--ChangeLog12
-rw-r--r--auth-pam.c4
-rw-r--r--buffer.c2
-rw-r--r--channels.c17
-rw-r--r--deattack.c2
-rw-r--r--misc.c2
-rw-r--r--scp.c2
-rw-r--r--session.c6
-rw-r--r--sftp-client.c3
-rw-r--r--sftp-server.c2
-rw-r--r--ssh-agent.c2
-rw-r--r--ssh-rand-helper.c4
-rw-r--r--ssh-rsa.c2
-rw-r--r--uidswap.c4
-rw-r--r--xmalloc.c10
-rw-r--r--xmalloc.h4
16 files changed, 48 insertions, 30 deletions
diff --git a/ChangeLog b/ChangeLog
index 20d034a6e..9d129a183 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -118,6 +118,16 @@
118 to die 118 to die
119 119
120 feedback and ok deraadt@ 120 feedback and ok deraadt@
121 - djm@cvs.openbsd.org 2006/03/25 01:13:23
122 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
123 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
124 [uidswap.c]
125 change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
126 to xrealloc(p, new_nmemb, new_itemsize).
127
128 realloc is particularly prone to integer overflows because it is
129 almost always allocating "n * size" bytes, so this is a far safer
130 API; ok deraadt@
121 131
12220060325 13220060325
123 - OpenBSD CVS Sync 133 - OpenBSD CVS Sync
@@ -4375,4 +4385,4 @@
4375 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 4385 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
4376 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 4386 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4377 4387
4378$Id: ChangeLog,v 1.4273 2006/03/26 03:19:21 djm Exp $ 4388$Id: ChangeLog,v 1.4274 2006/03/26 03:22:47 djm Exp $
diff --git a/auth-pam.c b/auth-pam.c
index 3d64de76a..c12f413e7 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -703,7 +703,7 @@ sshpam_query(void *ctx, char **name, char **info,
703 case PAM_PROMPT_ECHO_OFF: 703 case PAM_PROMPT_ECHO_OFF:
704 *num = 1; 704 *num = 1;
705 len = plen + mlen + 1; 705 len = plen + mlen + 1;
706 **prompts = xrealloc(**prompts, len); 706 **prompts = xrealloc(**prompts, 1, len);
707 strlcpy(**prompts + plen, msg, len - plen); 707 strlcpy(**prompts + plen, msg, len - plen);
708 plen += mlen; 708 plen += mlen;
709 **echo_on = (type == PAM_PROMPT_ECHO_ON); 709 **echo_on = (type == PAM_PROMPT_ECHO_ON);
@@ -713,7 +713,7 @@ sshpam_query(void *ctx, char **name, char **info,
713 case PAM_TEXT_INFO: 713 case PAM_TEXT_INFO:
714 /* accumulate messages */ 714 /* accumulate messages */
715 len = plen + mlen + 2; 715 len = plen + mlen + 2;
716 **prompts = xrealloc(**prompts, len); 716 **prompts = xrealloc(**prompts, 1, len);
717 strlcpy(**prompts + plen, msg, len - plen); 717 strlcpy(**prompts + plen, msg, len - plen);
718 plen += mlen; 718 plen += mlen;
719 strlcat(**prompts + plen, "\n", len - plen); 719 strlcat(**prompts + plen, "\n", len - plen);
diff --git a/buffer.c b/buffer.c
index 08682e0f1..1666f742e 100644
--- a/buffer.c
+++ b/buffer.c
@@ -109,7 +109,7 @@ restart:
109 if (newlen > BUFFER_MAX_LEN) 109 if (newlen > BUFFER_MAX_LEN)
110 fatal("buffer_append_space: alloc %u not supported", 110 fatal("buffer_append_space: alloc %u not supported",
111 newlen); 111 newlen);
112 buffer->buf = xrealloc(buffer->buf, newlen); 112 buffer->buf = xrealloc(buffer->buf, 1, newlen);
113 buffer->alloc = newlen; 113 buffer->alloc = newlen;
114 goto restart; 114 goto restart;
115 /* NOTREACHED */ 115 /* NOTREACHED */
diff --git a/channels.c b/channels.c
index 0e7d5cf58..5706833a9 100644
--- a/channels.c
+++ b/channels.c
@@ -266,8 +266,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
266 if (channels_alloc > 10000) 266 if (channels_alloc > 10000)
267 fatal("channel_new: internal error: channels_alloc %d " 267 fatal("channel_new: internal error: channels_alloc %d "
268 "too big.", channels_alloc); 268 "too big.", channels_alloc);
269 channels = xrealloc(channels, 269 channels = xrealloc(channels, channels_alloc + 10,
270 (channels_alloc + 10) * sizeof(Channel *)); 270 sizeof(Channel *));
271 channels_alloc += 10; 271 channels_alloc += 10;
272 debug2("channel: expanding %d", channels_alloc); 272 debug2("channel: expanding %d", channels_alloc);
273 for (i = found; i < channels_alloc; i++) 273 for (i = found; i < channels_alloc; i++)
@@ -1789,15 +1789,20 @@ void
1789channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1789channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
1790 u_int *nallocp, int rekeying) 1790 u_int *nallocp, int rekeying)
1791{ 1791{
1792 u_int n, sz; 1792 u_int n, sz, nfdset;
1793 1793
1794 n = MAX(*maxfdp, channel_max_fd); 1794 n = MAX(*maxfdp, channel_max_fd);
1795 1795
1796 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 1796 nfdset = howmany(n+1, NFDBITS);
1797 /* Explicitly test here, because xrealloc isn't always called */
1798 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask))
1799 fatal("channel_prepare_select: max_fd (%d) is too large", n);
1800 sz = nfdset * sizeof(fd_mask);
1801
1797 /* perhaps check sz < nalloc/2 and shrink? */ 1802 /* perhaps check sz < nalloc/2 and shrink? */
1798 if (*readsetp == NULL || sz > *nallocp) { 1803 if (*readsetp == NULL || sz > *nallocp) {
1799 *readsetp = xrealloc(*readsetp, sz); 1804 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask));
1800 *writesetp = xrealloc(*writesetp, sz); 1805 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask));
1801 *nallocp = sz; 1806 *nallocp = sz;
1802 } 1807 }
1803 *maxfdp = n; 1808 *maxfdp = n;
diff --git a/deattack.c b/deattack.c
index 746ff5d43..ff9ca4dd5 100644
--- a/deattack.c
+++ b/deattack.c
@@ -97,7 +97,7 @@ detect_attack(u_char *buf, u_int32_t len)
97 n = l; 97 n = l;
98 } else { 98 } else {
99 if (l > n) { 99 if (l > n) {
100 h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); 100 h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE);
101 n = l; 101 n = l;
102 } 102 }
103 } 103 }
diff --git a/misc.c b/misc.c
index bf7b1ed66..96d90dec9 100644
--- a/misc.c
+++ b/misc.c
@@ -425,7 +425,7 @@ addargs(arglist *args, char *fmt, ...)
425 } else if (args->num+2 >= nalloc) 425 } else if (args->num+2 >= nalloc)
426 nalloc *= 2; 426 nalloc *= 2;
427 427
428 args->list = xrealloc(args->list, nalloc * sizeof(char *)); 428 args->list = xrealloc(args->list, nalloc, sizeof(char *));
429 args->nalloc = nalloc; 429 args->nalloc = nalloc;
430 args->list[args->num++] = cp; 430 args->list[args->num++] = cp;
431 args->list[args->num] = NULL; 431 args->list[args->num] = NULL;
diff --git a/scp.c b/scp.c
index bf9db97cf..3068b8d32 100644
--- a/scp.c
+++ b/scp.c
@@ -1190,7 +1190,7 @@ allocbuf(BUF *bp, int fd, int blksize)
1190 if (bp->buf == NULL) 1190 if (bp->buf == NULL)
1191 bp->buf = xmalloc(size); 1191 bp->buf = xmalloc(size);
1192 else 1192 else
1193 bp->buf = xrealloc(bp->buf, size); 1193 bp->buf = xrealloc(bp->buf, 1, size);
1194 memset(bp->buf, 0, size); 1194 memset(bp->buf, 0, size);
1195 bp->cnt = size; 1195 bp->cnt = size;
1196 return (bp); 1196 return (bp);
diff --git a/session.c b/session.c
index b00caa547..f0a0bdd2f 100644
--- a/session.c
+++ b/session.c
@@ -837,7 +837,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
837 if (envsize >= 1000) 837 if (envsize >= 1000)
838 fatal("child_set_env: too many env vars"); 838 fatal("child_set_env: too many env vars");
839 envsize += 50; 839 envsize += 50;
840 env = (*envp) = xrealloc(env, envsize * sizeof(char *)); 840 env = (*envp) = xrealloc(env, envsize, sizeof(char *));
841 *envsizep = envsize; 841 *envsizep = envsize;
842 } 842 }
843 /* Need to set the NULL pointer at end of array beyond the new slot. */ 843 /* Need to set the NULL pointer at end of array beyond the new slot. */
@@ -1941,8 +1941,8 @@ session_env_req(Session *s)
1941 for (i = 0; i < options.num_accept_env; i++) { 1941 for (i = 0; i < options.num_accept_env; i++) {
1942 if (match_pattern(name, options.accept_env[i])) { 1942 if (match_pattern(name, options.accept_env[i])) {
1943 debug2("Setting env %d: %s=%s", s->num_env, name, val); 1943 debug2("Setting env %d: %s=%s", s->num_env, name, val);
1944 s->env = xrealloc(s->env, sizeof(*s->env) * 1944 s->env = xrealloc(s->env, s->num_env + 1,
1945 (s->num_env + 1)); 1945 sizeof(*s->env));
1946 s->env[s->num_env].name = name; 1946 s->env[s->num_env].name = name;
1947 s->env[s->num_env].val = val; 1947 s->env[s->num_env].val = val;
1948 s->num_env++; 1948 s->num_env++;
diff --git a/sftp-client.c b/sftp-client.c
index c34f919a4..8b4d67b58 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -393,8 +393,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
393 printf("%s\n", longname); 393 printf("%s\n", longname);
394 394
395 if (dir) { 395 if (dir) {
396 *dir = xrealloc(*dir, sizeof(**dir) * 396 *dir = xrealloc(*dir, ents + 2, sizeof(**dir));
397 (ents + 2));
398 (*dir)[ents] = xmalloc(sizeof(***dir)); 397 (*dir)[ents] = xmalloc(sizeof(***dir));
399 (*dir)[ents]->filename = xstrdup(filename); 398 (*dir)[ents]->filename = xstrdup(filename);
400 (*dir)[ents]->longname = xstrdup(longname); 399 (*dir)[ents]->longname = xstrdup(longname);
diff --git a/sftp-server.c b/sftp-server.c
index a6add52aa..52b7323c2 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -716,7 +716,7 @@ process_readdir(void)
716 while ((dp = readdir(dirp)) != NULL) { 716 while ((dp = readdir(dirp)) != NULL) {
717 if (count >= nstats) { 717 if (count >= nstats) {
718 nstats *= 2; 718 nstats *= 2;
719 stats = xrealloc(stats, nstats * sizeof(Stat)); 719 stats = xrealloc(stats, nstats, sizeof(Stat));
720 } 720 }
721/* XXX OVERFLOW ? */ 721/* XXX OVERFLOW ? */
722 snprintf(pathname, sizeof pathname, "%s%s%s", path, 722 snprintf(pathname, sizeof pathname, "%s%s%s", path,
diff --git a/ssh-agent.c b/ssh-agent.c
index 67bde5560..042b18f54 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -803,7 +803,7 @@ new_socket(sock_type type, int fd)
803 } 803 }
804 old_alloc = sockets_alloc; 804 old_alloc = sockets_alloc;
805 new_alloc = sockets_alloc + 10; 805 new_alloc = sockets_alloc + 10;
806 sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); 806 sockets = xrealloc(sockets, new_alloc, sizeof(sockets[0]));
807 for (i = old_alloc; i < new_alloc; i++) 807 for (i = old_alloc; i < new_alloc; i++)
808 sockets[i].type = AUTH_UNUSED; 808 sockets[i].type = AUTH_UNUSED;
809 sockets_alloc = new_alloc; 809 sockets_alloc = new_alloc;
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index bdf73ec48..662f70080 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -768,7 +768,7 @@ prng_read_commands(char *cmdfilename)
768 */ 768 */
769 if (cur_cmd == num_cmds) { 769 if (cur_cmd == num_cmds) {
770 num_cmds *= 2; 770 num_cmds *= 2;
771 entcmd = xrealloc(entcmd, num_cmds * 771 entcmd = xrealloc(entcmd, num_cmds,
772 sizeof(entropy_cmd_t)); 772 sizeof(entropy_cmd_t));
773 } 773 }
774 } 774 }
@@ -777,7 +777,7 @@ prng_read_commands(char *cmdfilename)
777 memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t)); 777 memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t));
778 778
779 /* trim to size */ 779 /* trim to size */
780 entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) * 780 entropy_cmds = xrealloc(entcmd, (cur_cmd + 1),
781 sizeof(entropy_cmd_t)); 781 sizeof(entropy_cmd_t));
782 782
783 debug("Loaded %d entropy commands from %.100s", cur_cmd, 783 debug("Loaded %d entropy commands from %.100s", cur_cmd,
diff --git a/ssh-rsa.c b/ssh-rsa.c
index ce4195fea..55fb7ba59 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -144,7 +144,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
144 u_int diff = modlen - len; 144 u_int diff = modlen - len;
145 debug("ssh_rsa_verify: add padding: modlen %u > len %u", 145 debug("ssh_rsa_verify: add padding: modlen %u > len %u",
146 modlen, len); 146 modlen, len);
147 sigblob = xrealloc(sigblob, modlen); 147 sigblob = xrealloc(sigblob, 1, modlen);
148 memmove(sigblob + diff, sigblob, len); 148 memmove(sigblob + diff, sigblob, len);
149 memset(sigblob, 0, diff); 149 memset(sigblob, 0, diff);
150 len = modlen; 150 len = modlen;
diff --git a/uidswap.c b/uidswap.c
index ca0894806..305895a44 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -76,7 +76,7 @@ temporarily_use_uid(struct passwd *pw)
76 fatal("getgroups: %.100s", strerror(errno)); 76 fatal("getgroups: %.100s", strerror(errno));
77 if (saved_egroupslen > 0) { 77 if (saved_egroupslen > 0) {
78 saved_egroups = xrealloc(saved_egroups, 78 saved_egroups = xrealloc(saved_egroups,
79 saved_egroupslen * sizeof(gid_t)); 79 saved_egroupslen, sizeof(gid_t));
80 if (getgroups(saved_egroupslen, saved_egroups) < 0) 80 if (getgroups(saved_egroupslen, saved_egroups) < 0)
81 fatal("getgroups: %.100s", strerror(errno)); 81 fatal("getgroups: %.100s", strerror(errno));
82 } else { /* saved_egroupslen == 0 */ 82 } else { /* saved_egroupslen == 0 */
@@ -95,7 +95,7 @@ temporarily_use_uid(struct passwd *pw)
95 fatal("getgroups: %.100s", strerror(errno)); 95 fatal("getgroups: %.100s", strerror(errno));
96 if (user_groupslen > 0) { 96 if (user_groupslen > 0) {
97 user_groups = xrealloc(user_groups, 97 user_groups = xrealloc(user_groups,
98 user_groupslen * sizeof(gid_t)); 98 user_groupslen, sizeof(gid_t));
99 if (getgroups(user_groupslen, user_groups) < 0) 99 if (getgroups(user_groupslen, user_groups) < 0)
100 fatal("getgroups: %.100s", strerror(errno)); 100 fatal("getgroups: %.100s", strerror(errno));
101 } else { /* user_groupslen == 0 */ 101 } else { /* user_groupslen == 0 */
diff --git a/xmalloc.c b/xmalloc.c
index 6d56781d9..d5d7b6bc5 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -35,7 +35,7 @@ xcalloc(size_t nmemb, size_t size)
35{ 35{
36 void *ptr; 36 void *ptr;
37 37
38 if (nmemb && size && SIZE_T_MAX / nmemb < size) 38 if (nmemb && size && SIZE_T_MAX / nmemb < size)
39 fatal("xcalloc: nmemb * size > SIZE_T_MAX"); 39 fatal("xcalloc: nmemb * size > SIZE_T_MAX");
40 if (size == 0 || nmemb == 0) 40 if (size == 0 || nmemb == 0)
41 fatal("xcalloc: zero size"); 41 fatal("xcalloc: zero size");
@@ -47,10 +47,13 @@ xcalloc(size_t nmemb, size_t size)
47} 47}
48 48
49void * 49void *
50xrealloc(void *ptr, size_t new_size) 50xrealloc(void *ptr, size_t nmemb, size_t size)
51{ 51{
52 void *new_ptr; 52 void *new_ptr;
53 size_t new_size = nmemb * size;
53 54
55 if (nmemb && size && SIZE_T_MAX / nmemb < size)
56 fatal("xrealloc: nmemb * size > SIZE_T_MAX");
54 if (new_size == 0) 57 if (new_size == 0)
55 fatal("xrealloc: zero size"); 58 fatal("xrealloc: zero size");
56 if (ptr == NULL) 59 if (ptr == NULL)
@@ -58,7 +61,8 @@ xrealloc(void *ptr, size_t new_size)
58 else 61 else
59 new_ptr = realloc(ptr, new_size); 62 new_ptr = realloc(ptr, new_size);
60 if (new_ptr == NULL) 63 if (new_ptr == NULL)
61 fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size); 64 fatal("xrealloc: out of memory (new_size %lu bytes)",
65 (u_long) new_size);
62 return new_ptr; 66 return new_ptr;
63} 67}
64 68
diff --git a/xmalloc.h b/xmalloc.h
index b6d521a66..ef29787bd 100644
--- a/xmalloc.h
+++ b/xmalloc.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: xmalloc.h,v 1.10 2006/03/25 00:05:41 djm Exp $ */ 1/* $OpenBSD: xmalloc.h,v 1.11 2006/03/25 01:13:23 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -21,7 +21,7 @@
21 21
22void *xmalloc(size_t); 22void *xmalloc(size_t);
23void *xcalloc(size_t, size_t); 23void *xcalloc(size_t, size_t);
24void *xrealloc(void *, size_t); 24void *xrealloc(void *, size_t, size_t);
25void xfree(void *); 25void xfree(void *);
26char *xstrdup(const char *); 26char *xstrdup(const char *);
27int xasprintf(char **, const char *, ...) 27int xasprintf(char **, const char *, ...)
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-18 11:15:26 +0000