diff options
author | Damien Miller <djm@mindrot.org> | 2006-03-26 14:22:47 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-03-26 14:22:47 +1100 |
commit | 36812092ecb11a25ca9d6d87fdeaf53e371c5043 (patch) | |
tree | 257ccc18998146f7f6e6c25cbb0ff9bd6de946a5 /channels.c | |
parent | 07d86bec5eeaf19fe33dca99c8ebcbe9a77c3938 (diff) |
- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
[uidswap.c]
change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
to xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is
almost always allocating "n * size" bytes, so this is a far safer
API; ok deraadt@
Diffstat (limited to 'channels.c')
-rw-r--r-- | channels.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/channels.c b/channels.c index 0e7d5cf58..5706833a9 100644 --- a/channels.c +++ b/channels.c | |||
@@ -266,8 +266,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, | |||
266 | if (channels_alloc > 10000) | 266 | if (channels_alloc > 10000) |
267 | fatal("channel_new: internal error: channels_alloc %d " | 267 | fatal("channel_new: internal error: channels_alloc %d " |
268 | "too big.", channels_alloc); | 268 | "too big.", channels_alloc); |
269 | channels = xrealloc(channels, | 269 | channels = xrealloc(channels, channels_alloc + 10, |
270 | (channels_alloc + 10) * sizeof(Channel *)); | 270 | sizeof(Channel *)); |
271 | channels_alloc += 10; | 271 | channels_alloc += 10; |
272 | debug2("channel: expanding %d", channels_alloc); | 272 | debug2("channel: expanding %d", channels_alloc); |
273 | for (i = found; i < channels_alloc; i++) | 273 | for (i = found; i < channels_alloc; i++) |
@@ -1789,15 +1789,20 @@ void | |||
1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, | 1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, |
1790 | u_int *nallocp, int rekeying) | 1790 | u_int *nallocp, int rekeying) |
1791 | { | 1791 | { |
1792 | u_int n, sz; | 1792 | u_int n, sz, nfdset; |
1793 | 1793 | ||
1794 | n = MAX(*maxfdp, channel_max_fd); | 1794 | n = MAX(*maxfdp, channel_max_fd); |
1795 | 1795 | ||
1796 | sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); | 1796 | nfdset = howmany(n+1, NFDBITS); |
1797 | /* Explicitly test here, because xrealloc isn't always called */ | ||
1798 | if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) | ||
1799 | fatal("channel_prepare_select: max_fd (%d) is too large", n); | ||
1800 | sz = nfdset * sizeof(fd_mask); | ||
1801 | |||
1797 | /* perhaps check sz < nalloc/2 and shrink? */ | 1802 | /* perhaps check sz < nalloc/2 and shrink? */ |
1798 | if (*readsetp == NULL || sz > *nallocp) { | 1803 | if (*readsetp == NULL || sz > *nallocp) { |
1799 | *readsetp = xrealloc(*readsetp, sz); | 1804 | *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); |
1800 | *writesetp = xrealloc(*writesetp, sz); | 1805 | *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); |
1801 | *nallocp = sz; | 1806 | *nallocp = sz; |
1802 | } | 1807 | } |
1803 | *maxfdp = n; | 1808 | *maxfdp = n; |