diff options
| author | Damien Miller <djm@mindrot.org> | 2006-03-26 05:22:47 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-03-26 05:22:47 +0200 |
| commit | 36812092ecb11a25ca9d6d87fdeaf53e371c5043 (patch) | |
| tree | 257ccc18998146f7f6e6c25cbb0ff9bd6de946a5 /session.c | |
| parent | - djm@cvs.openbsd.org 2006/03/25 00:05:41 (diff) | |
| download | openssh-36812092ecb11a25ca9d6d87fdeaf53e371c5043.tar.xz openssh-36812092ecb11a25ca9d6d87fdeaf53e371c5043.zip | |
- djm@cvs.openbsd.org 2006/03/25 01:13:23
[buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
[sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
[uidswap.c]
change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
to xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is
almost always allocating "n * size" bytes, so this is a far safer
API; ok deraadt@
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -837,7 +837,7 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, if (envsize >= 1000) fatal("child_set_env: too many env vars"); envsize += 50; - env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + env = (*envp) = xrealloc(env, envsize, sizeof(char *)); *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ @@ -1941,8 +1941,8 @@ session_env_req(Session *s) for (i = 0; i < options.num_accept_env; i++) { if (match_pattern(name, options.accept_env[i])) { debug2("Setting env %d: %s=%s", s->num_env, name, val); - s->env = xrealloc(s->env, sizeof(*s->env) * - (s->num_env + 1)); + s->env = xrealloc(s->env, s->num_env + 1, + sizeof(*s->env)); s->env[s->num_env].name = name; s->env[s->num_env].val = val; s->num_env++; |