From 36812092ecb11a25ca9d6d87fdeaf53e371c5043 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 26 Mar 2006 14:22:47 +1100 Subject: - djm@cvs.openbsd.org 2006/03/25 01:13:23 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] [uidswap.c] change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to xrealloc(p, new_nmemb, new_itemsize). realloc is particularly prone to integer overflows because it is almost always allocating "n * size" bytes, so this is a far safer API; ok deraadt@ --- session.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'session.c') diff --git a/session.c b/session.c index b00caa547..f0a0bdd2f 100644 --- a/session.c +++ b/session.c @@ -837,7 +837,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, if (envsize >= 1000) fatal("child_set_env: too many env vars"); envsize += 50; - env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + env = (*envp) = xrealloc(env, envsize, sizeof(char *)); *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ @@ -1941,8 +1941,8 @@ session_env_req(Session *s) for (i = 0; i < options.num_accept_env; i++) { if (match_pattern(name, options.accept_env[i])) { debug2("Setting env %d: %s=%s", s->num_env, name, val); - s->env = xrealloc(s->env, sizeof(*s->env) * - (s->num_env + 1)); + s->env = xrealloc(s->env, s->num_env + 1, + sizeof(*s->env)); s->env[s->num_env].name = name; s->env[s->num_env].val = val; s->num_env++; -- cgit v1.2.3