- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
[uidswap.c]
change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
to xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is
almost always allocating "n * size" bytes, so this is a far safer
API; ok deraadt@
diff --git a/uidswap.c b/uidswap.c
index ca08948..305895a 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -76,7 +76,7 @@
fatal("getgroups: %.100s", strerror(errno));
if (saved_egroupslen > 0) {
saved_egroups = xrealloc(saved_egroups,
- saved_egroupslen * sizeof(gid_t));
+ saved_egroupslen, sizeof(gid_t));
if (getgroups(saved_egroupslen, saved_egroups) < 0)
fatal("getgroups: %.100s", strerror(errno));
} else { /* saved_egroupslen == 0 */
@@ -95,7 +95,7 @@
fatal("getgroups: %.100s", strerror(errno));
if (user_groupslen > 0) {
user_groups = xrealloc(user_groups,
- user_groupslen * sizeof(gid_t));
+ user_groupslen, sizeof(gid_t));
if (getgroups(user_groupslen, user_groups) < 0)
fatal("getgroups: %.100s", strerror(errno));
} else { /* user_groupslen == 0 */