diff options
-rw-r--r-- | ChangeLog | 12 | ||||
-rw-r--r-- | auth-pam.c | 4 | ||||
-rw-r--r-- | buffer.c | 2 | ||||
-rw-r--r-- | channels.c | 17 | ||||
-rw-r--r-- | deattack.c | 2 | ||||
-rw-r--r-- | misc.c | 2 | ||||
-rw-r--r-- | scp.c | 2 | ||||
-rw-r--r-- | session.c | 6 | ||||
-rw-r--r-- | sftp-client.c | 3 | ||||
-rw-r--r-- | sftp-server.c | 2 | ||||
-rw-r--r-- | ssh-agent.c | 2 | ||||
-rw-r--r-- | ssh-rand-helper.c | 4 | ||||
-rw-r--r-- | ssh-rsa.c | 2 | ||||
-rw-r--r-- | uidswap.c | 4 | ||||
-rw-r--r-- | xmalloc.c | 10 | ||||
-rw-r--r-- | xmalloc.h | 4 |
16 files changed, 48 insertions, 30 deletions
@@ -118,6 +118,16 @@ | |||
118 | to die | 118 | to die |
119 | 119 | ||
120 | feedback and ok deraadt@ | 120 | feedback and ok deraadt@ |
121 | - djm@cvs.openbsd.org 2006/03/25 01:13:23 | ||
122 | [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] | ||
123 | [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] | ||
124 | [uidswap.c] | ||
125 | change OpenSSH's xrealloc() function from being xrealloc(p, new_size) | ||
126 | to xrealloc(p, new_nmemb, new_itemsize). | ||
127 | |||
128 | realloc is particularly prone to integer overflows because it is | ||
129 | almost always allocating "n * size" bytes, so this is a far safer | ||
130 | API; ok deraadt@ | ||
121 | 131 | ||
122 | 20060325 | 132 | 20060325 |
123 | - OpenBSD CVS Sync | 133 | - OpenBSD CVS Sync |
@@ -4375,4 +4385,4 @@ | |||
4375 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 4385 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
4376 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 4386 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
4377 | 4387 | ||
4378 | $Id: ChangeLog,v 1.4273 2006/03/26 03:19:21 djm Exp $ | 4388 | $Id: ChangeLog,v 1.4274 2006/03/26 03:22:47 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 3d64de76a..c12f413e7 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -703,7 +703,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
703 | case PAM_PROMPT_ECHO_OFF: | 703 | case PAM_PROMPT_ECHO_OFF: |
704 | *num = 1; | 704 | *num = 1; |
705 | len = plen + mlen + 1; | 705 | len = plen + mlen + 1; |
706 | **prompts = xrealloc(**prompts, len); | 706 | **prompts = xrealloc(**prompts, 1, len); |
707 | strlcpy(**prompts + plen, msg, len - plen); | 707 | strlcpy(**prompts + plen, msg, len - plen); |
708 | plen += mlen; | 708 | plen += mlen; |
709 | **echo_on = (type == PAM_PROMPT_ECHO_ON); | 709 | **echo_on = (type == PAM_PROMPT_ECHO_ON); |
@@ -713,7 +713,7 @@ sshpam_query(void *ctx, char **name, char **info, | |||
713 | case PAM_TEXT_INFO: | 713 | case PAM_TEXT_INFO: |
714 | /* accumulate messages */ | 714 | /* accumulate messages */ |
715 | len = plen + mlen + 2; | 715 | len = plen + mlen + 2; |
716 | **prompts = xrealloc(**prompts, len); | 716 | **prompts = xrealloc(**prompts, 1, len); |
717 | strlcpy(**prompts + plen, msg, len - plen); | 717 | strlcpy(**prompts + plen, msg, len - plen); |
718 | plen += mlen; | 718 | plen += mlen; |
719 | strlcat(**prompts + plen, "\n", len - plen); | 719 | strlcat(**prompts + plen, "\n", len - plen); |
@@ -109,7 +109,7 @@ restart: | |||
109 | if (newlen > BUFFER_MAX_LEN) | 109 | if (newlen > BUFFER_MAX_LEN) |
110 | fatal("buffer_append_space: alloc %u not supported", | 110 | fatal("buffer_append_space: alloc %u not supported", |
111 | newlen); | 111 | newlen); |
112 | buffer->buf = xrealloc(buffer->buf, newlen); | 112 | buffer->buf = xrealloc(buffer->buf, 1, newlen); |
113 | buffer->alloc = newlen; | 113 | buffer->alloc = newlen; |
114 | goto restart; | 114 | goto restart; |
115 | /* NOTREACHED */ | 115 | /* NOTREACHED */ |
diff --git a/channels.c b/channels.c index 0e7d5cf58..5706833a9 100644 --- a/channels.c +++ b/channels.c | |||
@@ -266,8 +266,8 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, | |||
266 | if (channels_alloc > 10000) | 266 | if (channels_alloc > 10000) |
267 | fatal("channel_new: internal error: channels_alloc %d " | 267 | fatal("channel_new: internal error: channels_alloc %d " |
268 | "too big.", channels_alloc); | 268 | "too big.", channels_alloc); |
269 | channels = xrealloc(channels, | 269 | channels = xrealloc(channels, channels_alloc + 10, |
270 | (channels_alloc + 10) * sizeof(Channel *)); | 270 | sizeof(Channel *)); |
271 | channels_alloc += 10; | 271 | channels_alloc += 10; |
272 | debug2("channel: expanding %d", channels_alloc); | 272 | debug2("channel: expanding %d", channels_alloc); |
273 | for (i = found; i < channels_alloc; i++) | 273 | for (i = found; i < channels_alloc; i++) |
@@ -1789,15 +1789,20 @@ void | |||
1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, | 1789 | channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, |
1790 | u_int *nallocp, int rekeying) | 1790 | u_int *nallocp, int rekeying) |
1791 | { | 1791 | { |
1792 | u_int n, sz; | 1792 | u_int n, sz, nfdset; |
1793 | 1793 | ||
1794 | n = MAX(*maxfdp, channel_max_fd); | 1794 | n = MAX(*maxfdp, channel_max_fd); |
1795 | 1795 | ||
1796 | sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); | 1796 | nfdset = howmany(n+1, NFDBITS); |
1797 | /* Explicitly test here, because xrealloc isn't always called */ | ||
1798 | if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) | ||
1799 | fatal("channel_prepare_select: max_fd (%d) is too large", n); | ||
1800 | sz = nfdset * sizeof(fd_mask); | ||
1801 | |||
1797 | /* perhaps check sz < nalloc/2 and shrink? */ | 1802 | /* perhaps check sz < nalloc/2 and shrink? */ |
1798 | if (*readsetp == NULL || sz > *nallocp) { | 1803 | if (*readsetp == NULL || sz > *nallocp) { |
1799 | *readsetp = xrealloc(*readsetp, sz); | 1804 | *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); |
1800 | *writesetp = xrealloc(*writesetp, sz); | 1805 | *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); |
1801 | *nallocp = sz; | 1806 | *nallocp = sz; |
1802 | } | 1807 | } |
1803 | *maxfdp = n; | 1808 | *maxfdp = n; |
diff --git a/deattack.c b/deattack.c index 746ff5d43..ff9ca4dd5 100644 --- a/deattack.c +++ b/deattack.c | |||
@@ -97,7 +97,7 @@ detect_attack(u_char *buf, u_int32_t len) | |||
97 | n = l; | 97 | n = l; |
98 | } else { | 98 | } else { |
99 | if (l > n) { | 99 | if (l > n) { |
100 | h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); | 100 | h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE); |
101 | n = l; | 101 | n = l; |
102 | } | 102 | } |
103 | } | 103 | } |
@@ -425,7 +425,7 @@ addargs(arglist *args, char *fmt, ...) | |||
425 | } else if (args->num+2 >= nalloc) | 425 | } else if (args->num+2 >= nalloc) |
426 | nalloc *= 2; | 426 | nalloc *= 2; |
427 | 427 | ||
428 | args->list = xrealloc(args->list, nalloc * sizeof(char *)); | 428 | args->list = xrealloc(args->list, nalloc, sizeof(char *)); |
429 | args->nalloc = nalloc; | 429 | args->nalloc = nalloc; |
430 | args->list[args->num++] = cp; | 430 | args->list[args->num++] = cp; |
431 | args->list[args->num] = NULL; | 431 | args->list[args->num] = NULL; |
@@ -1190,7 +1190,7 @@ allocbuf(BUF *bp, int fd, int blksize) | |||
1190 | if (bp->buf == NULL) | 1190 | if (bp->buf == NULL) |
1191 | bp->buf = xmalloc(size); | 1191 | bp->buf = xmalloc(size); |
1192 | else | 1192 | else |
1193 | bp->buf = xrealloc(bp->buf, size); | 1193 | bp->buf = xrealloc(bp->buf, 1, size); |
1194 | memset(bp->buf, 0, size); | 1194 | memset(bp->buf, 0, size); |
1195 | bp->cnt = size; | 1195 | bp->cnt = size; |
1196 | return (bp); | 1196 | return (bp); |
@@ -837,7 +837,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, | |||
837 | if (envsize >= 1000) | 837 | if (envsize >= 1000) |
838 | fatal("child_set_env: too many env vars"); | 838 | fatal("child_set_env: too many env vars"); |
839 | envsize += 50; | 839 | envsize += 50; |
840 | env = (*envp) = xrealloc(env, envsize * sizeof(char *)); | 840 | env = (*envp) = xrealloc(env, envsize, sizeof(char *)); |
841 | *envsizep = envsize; | 841 | *envsizep = envsize; |
842 | } | 842 | } |
843 | /* Need to set the NULL pointer at end of array beyond the new slot. */ | 843 | /* Need to set the NULL pointer at end of array beyond the new slot. */ |
@@ -1941,8 +1941,8 @@ session_env_req(Session *s) | |||
1941 | for (i = 0; i < options.num_accept_env; i++) { | 1941 | for (i = 0; i < options.num_accept_env; i++) { |
1942 | if (match_pattern(name, options.accept_env[i])) { | 1942 | if (match_pattern(name, options.accept_env[i])) { |
1943 | debug2("Setting env %d: %s=%s", s->num_env, name, val); | 1943 | debug2("Setting env %d: %s=%s", s->num_env, name, val); |
1944 | s->env = xrealloc(s->env, sizeof(*s->env) * | 1944 | s->env = xrealloc(s->env, s->num_env + 1, |
1945 | (s->num_env + 1)); | 1945 | sizeof(*s->env)); |
1946 | s->env[s->num_env].name = name; | 1946 | s->env[s->num_env].name = name; |
1947 | s->env[s->num_env].val = val; | 1947 | s->env[s->num_env].val = val; |
1948 | s->num_env++; | 1948 | s->num_env++; |
diff --git a/sftp-client.c b/sftp-client.c index c34f919a4..8b4d67b58 100644 --- a/sftp-client.c +++ b/sftp-client.c | |||
@@ -393,8 +393,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag, | |||
393 | printf("%s\n", longname); | 393 | printf("%s\n", longname); |
394 | 394 | ||
395 | if (dir) { | 395 | if (dir) { |
396 | *dir = xrealloc(*dir, sizeof(**dir) * | 396 | *dir = xrealloc(*dir, ents + 2, sizeof(**dir)); |
397 | (ents + 2)); | ||
398 | (*dir)[ents] = xmalloc(sizeof(***dir)); | 397 | (*dir)[ents] = xmalloc(sizeof(***dir)); |
399 | (*dir)[ents]->filename = xstrdup(filename); | 398 | (*dir)[ents]->filename = xstrdup(filename); |
400 | (*dir)[ents]->longname = xstrdup(longname); | 399 | (*dir)[ents]->longname = xstrdup(longname); |
diff --git a/sftp-server.c b/sftp-server.c index a6add52aa..52b7323c2 100644 --- a/sftp-server.c +++ b/sftp-server.c | |||
@@ -716,7 +716,7 @@ process_readdir(void) | |||
716 | while ((dp = readdir(dirp)) != NULL) { | 716 | while ((dp = readdir(dirp)) != NULL) { |
717 | if (count >= nstats) { | 717 | if (count >= nstats) { |
718 | nstats *= 2; | 718 | nstats *= 2; |
719 | stats = xrealloc(stats, nstats * sizeof(Stat)); | 719 | stats = xrealloc(stats, nstats, sizeof(Stat)); |
720 | } | 720 | } |
721 | /* XXX OVERFLOW ? */ | 721 | /* XXX OVERFLOW ? */ |
722 | snprintf(pathname, sizeof pathname, "%s%s%s", path, | 722 | snprintf(pathname, sizeof pathname, "%s%s%s", path, |
diff --git a/ssh-agent.c b/ssh-agent.c index 67bde5560..042b18f54 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -803,7 +803,7 @@ new_socket(sock_type type, int fd) | |||
803 | } | 803 | } |
804 | old_alloc = sockets_alloc; | 804 | old_alloc = sockets_alloc; |
805 | new_alloc = sockets_alloc + 10; | 805 | new_alloc = sockets_alloc + 10; |
806 | sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); | 806 | sockets = xrealloc(sockets, new_alloc, sizeof(sockets[0])); |
807 | for (i = old_alloc; i < new_alloc; i++) | 807 | for (i = old_alloc; i < new_alloc; i++) |
808 | sockets[i].type = AUTH_UNUSED; | 808 | sockets[i].type = AUTH_UNUSED; |
809 | sockets_alloc = new_alloc; | 809 | sockets_alloc = new_alloc; |
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index bdf73ec48..662f70080 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c | |||
@@ -768,7 +768,7 @@ prng_read_commands(char *cmdfilename) | |||
768 | */ | 768 | */ |
769 | if (cur_cmd == num_cmds) { | 769 | if (cur_cmd == num_cmds) { |
770 | num_cmds *= 2; | 770 | num_cmds *= 2; |
771 | entcmd = xrealloc(entcmd, num_cmds * | 771 | entcmd = xrealloc(entcmd, num_cmds, |
772 | sizeof(entropy_cmd_t)); | 772 | sizeof(entropy_cmd_t)); |
773 | } | 773 | } |
774 | } | 774 | } |
@@ -777,7 +777,7 @@ prng_read_commands(char *cmdfilename) | |||
777 | memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t)); | 777 | memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t)); |
778 | 778 | ||
779 | /* trim to size */ | 779 | /* trim to size */ |
780 | entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) * | 780 | entropy_cmds = xrealloc(entcmd, (cur_cmd + 1), |
781 | sizeof(entropy_cmd_t)); | 781 | sizeof(entropy_cmd_t)); |
782 | 782 | ||
783 | debug("Loaded %d entropy commands from %.100s", cur_cmd, | 783 | debug("Loaded %d entropy commands from %.100s", cur_cmd, |
@@ -144,7 +144,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, | |||
144 | u_int diff = modlen - len; | 144 | u_int diff = modlen - len; |
145 | debug("ssh_rsa_verify: add padding: modlen %u > len %u", | 145 | debug("ssh_rsa_verify: add padding: modlen %u > len %u", |
146 | modlen, len); | 146 | modlen, len); |
147 | sigblob = xrealloc(sigblob, modlen); | 147 | sigblob = xrealloc(sigblob, 1, modlen); |
148 | memmove(sigblob + diff, sigblob, len); | 148 | memmove(sigblob + diff, sigblob, len); |
149 | memset(sigblob, 0, diff); | 149 | memset(sigblob, 0, diff); |
150 | len = modlen; | 150 | len = modlen; |
@@ -76,7 +76,7 @@ temporarily_use_uid(struct passwd *pw) | |||
76 | fatal("getgroups: %.100s", strerror(errno)); | 76 | fatal("getgroups: %.100s", strerror(errno)); |
77 | if (saved_egroupslen > 0) { | 77 | if (saved_egroupslen > 0) { |
78 | saved_egroups = xrealloc(saved_egroups, | 78 | saved_egroups = xrealloc(saved_egroups, |
79 | saved_egroupslen * sizeof(gid_t)); | 79 | saved_egroupslen, sizeof(gid_t)); |
80 | if (getgroups(saved_egroupslen, saved_egroups) < 0) | 80 | if (getgroups(saved_egroupslen, saved_egroups) < 0) |
81 | fatal("getgroups: %.100s", strerror(errno)); | 81 | fatal("getgroups: %.100s", strerror(errno)); |
82 | } else { /* saved_egroupslen == 0 */ | 82 | } else { /* saved_egroupslen == 0 */ |
@@ -95,7 +95,7 @@ temporarily_use_uid(struct passwd *pw) | |||
95 | fatal("getgroups: %.100s", strerror(errno)); | 95 | fatal("getgroups: %.100s", strerror(errno)); |
96 | if (user_groupslen > 0) { | 96 | if (user_groupslen > 0) { |
97 | user_groups = xrealloc(user_groups, | 97 | user_groups = xrealloc(user_groups, |
98 | user_groupslen * sizeof(gid_t)); | 98 | user_groupslen, sizeof(gid_t)); |
99 | if (getgroups(user_groupslen, user_groups) < 0) | 99 | if (getgroups(user_groupslen, user_groups) < 0) |
100 | fatal("getgroups: %.100s", strerror(errno)); | 100 | fatal("getgroups: %.100s", strerror(errno)); |
101 | } else { /* user_groupslen == 0 */ | 101 | } else { /* user_groupslen == 0 */ |
@@ -35,7 +35,7 @@ xcalloc(size_t nmemb, size_t size) | |||
35 | { | 35 | { |
36 | void *ptr; | 36 | void *ptr; |
37 | 37 | ||
38 | if (nmemb && size && SIZE_T_MAX / nmemb < size) | 38 | if (nmemb && size && SIZE_T_MAX / nmemb < size) |
39 | fatal("xcalloc: nmemb * size > SIZE_T_MAX"); | 39 | fatal("xcalloc: nmemb * size > SIZE_T_MAX"); |
40 | if (size == 0 || nmemb == 0) | 40 | if (size == 0 || nmemb == 0) |
41 | fatal("xcalloc: zero size"); | 41 | fatal("xcalloc: zero size"); |
@@ -47,10 +47,13 @@ xcalloc(size_t nmemb, size_t size) | |||
47 | } | 47 | } |
48 | 48 | ||
49 | void * | 49 | void * |
50 | xrealloc(void *ptr, size_t new_size) | 50 | xrealloc(void *ptr, size_t nmemb, size_t size) |
51 | { | 51 | { |
52 | void *new_ptr; | 52 | void *new_ptr; |
53 | size_t new_size = nmemb * size; | ||
53 | 54 | ||
55 | if (nmemb && size && SIZE_T_MAX / nmemb < size) | ||
56 | fatal("xrealloc: nmemb * size > SIZE_T_MAX"); | ||
54 | if (new_size == 0) | 57 | if (new_size == 0) |
55 | fatal("xrealloc: zero size"); | 58 | fatal("xrealloc: zero size"); |
56 | if (ptr == NULL) | 59 | if (ptr == NULL) |
@@ -58,7 +61,8 @@ xrealloc(void *ptr, size_t new_size) | |||
58 | else | 61 | else |
59 | new_ptr = realloc(ptr, new_size); | 62 | new_ptr = realloc(ptr, new_size); |
60 | if (new_ptr == NULL) | 63 | if (new_ptr == NULL) |
61 | fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size); | 64 | fatal("xrealloc: out of memory (new_size %lu bytes)", |
65 | (u_long) new_size); | ||
62 | return new_ptr; | 66 | return new_ptr; |
63 | } | 67 | } |
64 | 68 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: xmalloc.h,v 1.10 2006/03/25 00:05:41 djm Exp $ */ | 1 | /* $OpenBSD: xmalloc.h,v 1.11 2006/03/25 01:13:23 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -21,7 +21,7 @@ | |||
21 | 21 | ||
22 | void *xmalloc(size_t); | 22 | void *xmalloc(size_t); |
23 | void *xcalloc(size_t, size_t); | 23 | void *xcalloc(size_t, size_t); |
24 | void *xrealloc(void *, size_t); | 24 | void *xrealloc(void *, size_t, size_t); |
25 | void xfree(void *); | 25 | void xfree(void *); |
26 | char *xstrdup(const char *); | 26 | char *xstrdup(const char *); |
27 | int xasprintf(char **, const char *, ...) | 27 | int xasprintf(char **, const char *, ...) |