upstream commit

Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065

1 files changed, 2 insertions, 14 deletions

diff --git a/authfile.c b/authfile.c
index af4190eeb..3481e0b04 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.125 2017/05/30 08:49:32 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.126 2017/05/31 09:15:42 deraadt Exp $ */
 /*
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
@@ -100,25 +100,13 @@ sshkey_load_file(int fd, struct sshbuf *blob)
         u_char buf[1024];
         size_t len;
         struct stat st;
-        int r, dontmax = 0;
+        int r;
 
         if (fstat(fd, &st) < 0)
                 return SSH_ERR_SYSTEM_ERROR;
         if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
             st.st_size > MAX_KEY_FILE_SIZE)
                 return SSH_ERR_INVALID_FORMAT;
-        /*
-         * Pre-allocate the buffer used for the key contents and clamp its
-         * maximum size. This ensures that key contents are never leaked via
-         * implicit realloc() in the sshbuf code.
-         */
-        if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
-                st.st_size = 64*1024; /* 64k ought to be enough for anybody. :) */
-                dontmax = 1;
-        }
-        if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
-            (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
-                return r;
         for (;;) {
                 if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
                         if (errno == EPIPE)