- djm@cvs.openbsd.org 2006/04/16 07:59:00

     [atomicio.c]
     reorder sanity test so that it cannot dereference past the end of the
     iov array; well spotted canacar@!

2 files changed, 7 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 0a597a4fe..b2a607098 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,10 @@
      commands, which would result in a separate tiny packet on the wire by
      using atomiciov(writev, ...) to write the length and the command in one
      pass; ok deraadt@
+   - djm@cvs.openbsd.org 2006/04/16 07:59:00
+     [atomicio.c]
+     reorder sanity test so that it cannot dereference past the end of the
+     iov array; well spotted canacar@!
 
 20060421
  - (djm) [Makefile.in configure.ac session.c sshpty.c]
@@ -4548,4 +4552,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4309 2006/04/23 02:06:35 djm Exp $
+$Id: ChangeLog,v 1.4310 2006/04/23 02:06:49 djm Exp $
diff --git a/atomicio.c b/atomicio.c
index de5363aa3..3939785df 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.18 2006/04/16 00:52:55 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.19 2006/04/16 07:59:00 djm Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -99,7 +99,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
                                 iovcnt--;
                         }
                         /* This shouldn't happen... */
-                        if (rem > iov[0].iov_len || (rem > 0 && iovcnt <= 0)) {
+                        if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
                                 errno = EFAULT;
                                 return 0;
                         }