From 36812092ecb11a25ca9d6d87fdeaf53e371c5043 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 26 Mar 2006 14:22:47 +1100
Subject:    - djm@cvs.openbsd.org 2006/03/25 01:13:23      [buffer.c
 channels.c deattack.c misc.c scp.c session.c sftp-client.c]     
 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]     
 [uidswap.c]      change OpenSSH's xrealloc() function from being xrealloc(p,
 new_size)      to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
---
 ssh-rand-helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ssh-rand-helper.c')

diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index bdf73ec48..662f70080 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -768,7 +768,7 @@ prng_read_commands(char *cmdfilename)
 		 */
 		if (cur_cmd == num_cmds) {
 			num_cmds *= 2;
-			entcmd = xrealloc(entcmd, num_cmds *
+			entcmd = xrealloc(entcmd, num_cmds,
 			    sizeof(entropy_cmd_t));
 		}
 	}
@@ -777,7 +777,7 @@ prng_read_commands(char *cmdfilename)
 	memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t));
 
 	/* trim to size */
-	entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) *
+	entropy_cmds = xrealloc(entcmd, (cur_cmd + 1),
 	    sizeof(entropy_cmd_t));
 
 	debug("Loaded %d entropy commands from %.100s", cur_cmd,
-- 
cgit v1.2.3