- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
[uidswap.c]
change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
to xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is
almost always allocating "n * size" bytes, so this is a far safer
API; ok deraadt@
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index bdf73ec..662f700 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -768,7 +768,7 @@
*/
if (cur_cmd == num_cmds) {
num_cmds *= 2;
- entcmd = xrealloc(entcmd, num_cmds *
+ entcmd = xrealloc(entcmd, num_cmds,
sizeof(entropy_cmd_t));
}
}
@@ -777,7 +777,7 @@
memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t));
/* trim to size */
- entropy_cmds = xrealloc(entcmd, (cur_cmd + 1) *
+ entropy_cmds = xrealloc(entcmd, (cur_cmd + 1),
sizeof(entropy_cmd_t));
debug("Loaded %d entropy commands from %.100s", cur_cmd,