diff options
| author | Damien Miller <djm@mindrot.org> | 2006-03-26 14:22:47 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-03-26 14:22:47 +1100 |
| commit | 36812092ecb11a25ca9d6d87fdeaf53e371c5043 (patch) | |
| tree | 257ccc18998146f7f6e6c25cbb0ff9bd6de946a5 /channels.c | |
| parent | 07d86bec5eeaf19fe33dca99c8ebcbe9a77c3938 (diff) | |
- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
[uidswap.c]
change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
to xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is
almost always allocating "n * size" bytes, so this is a far safer
API; ok deraadt@
Diffstat (limited to 'channels.c')
| -rw-r--r-- | channels.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/channels.c b/channels.c index 0e7d5cf58..5706833a9 100644 --- a/channels.c +++ b/channels.c | |||
| @@ -266,8 +266,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, | |||
| 266 | if (channels_alloc > 10000) | 266 | if (channels_alloc > 10000) |
| 267 | fatal("channel_new: internal error: channels_alloc %d " | 267 | fatal("channel_new: internal error: channels_alloc %d " |
| 268 | "too big.", channels_alloc); | 268 | "too big.", channels_alloc); |
| 269 | channels = xrealloc(channels, | 269 | channels = xrealloc(channels, channels_alloc + 10, |
| 270 | (channels_alloc + 10) * sizeof(Channel *)); | 270 | sizeof(Channel *)); |
| 271 | channels_alloc += 10; | 271 | channels_alloc += 10; |
| 272 | debug2("channel: expanding %d", channels_alloc); | 272 | debug2("channel: expanding %d", channels_alloc); |
| 273 | for (i = found; i < channels_alloc; i++) | 273 | for (i = found; i < channels_alloc; i++) |
| @@ -1789,15 +1789,20 @@ void | |||
| 1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, | 1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, |
| 1790 | u_int *nallocp, int rekeying) | 1790 | u_int *nallocp, int rekeying) |
| 1791 | { | 1791 | { |
| 1792 | u_int n, sz; | 1792 | u_int n, sz, nfdset; |
| 1793 | 1793 | ||
| 1794 | n = MAX(*maxfdp, channel_max_fd); | 1794 | n = MAX(*maxfdp, channel_max_fd); |
| 1795 | 1795 | ||
| 1796 | sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); | 1796 | nfdset = howmany(n+1, NFDBITS); |
| 1797 | /* Explicitly test here, because xrealloc isn't always called */ | ||
| 1798 | if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) | ||
| 1799 | fatal("channel_prepare_select: max_fd (%d) is too large", n); | ||
| 1800 | sz = nfdset * sizeof(fd_mask); | ||
| 1801 | |||
| 1797 | /* perhaps check sz < nalloc/2 and shrink? */ | 1802 | /* perhaps check sz < nalloc/2 and shrink? */ |
| 1798 | if (*readsetp == NULL || sz > *nallocp) { | 1803 | if (*readsetp == NULL || sz > *nallocp) { |
| 1799 | *readsetp = xrealloc(*readsetp, sz); | 1804 | *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); |
| 1800 | *writesetp = xrealloc(*writesetp, sz); | 1805 | *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); |
| 1801 | *nallocp = sz; | 1806 | *nallocp = sz; |
| 1802 | } | 1807 | } |
| 1803 | *maxfdp = n; | 1808 | *maxfdp = n; |