diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2022-03-20 08:51:22 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2022-03-20 08:51:22 +0000 |
| commit | d7c610f80f6f25ddd528f3a17ea9d32fe1a4e5a9 (patch) | |
| tree | eceacf3a7195e780675cbd396cfa76b579c45a9a /usr.bin/ssh/misc.c | |
| parent | 94a5e44ef9de664d308d6d8bc020f8a5b8493988 (diff) | |
make addargs() and replacearg() a little more robust and improve error
reporting
make freeargs(NULL) a noop like the other free functions
ok dtucker as part of bz3403
Diffstat (limited to 'usr.bin/ssh/misc.c')
| -rw-r--r-- | usr.bin/ssh/misc.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index 1c3248955f9..287f031fa86 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.174 2022/02/11 00:43:56 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.175 2022/03/20 08:51:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -1022,16 +1022,21 @@ addargs(arglist *args, char *fmt, ...) r = vasprintf(&cp, fmt, ap); va_end(ap); if (r == -1) - fatal("addargs: argument too long"); + fatal_f("argument too long"); nalloc = args->nalloc; if (args->list == NULL) { nalloc = 32; args->num = 0; - } else if (args->num+2 >= nalloc) + } else if (args->num > (256 * 1024)) + fatal_f("too many arguments"); + else if (args->num >= args->nalloc) + fatal_f("arglist corrupt"); + else if (args->num+2 >= nalloc) nalloc *= 2; - args->list = xrecallocarray(args->list, args->nalloc, nalloc, sizeof(char *)); + args->list = xrecallocarray(args->list, args->nalloc, + nalloc, sizeof(char *)); args->nalloc = nalloc; args->list[args->num++] = cp; args->list[args->num] = NULL; @@ -1048,10 +1053,12 @@ replacearg(arglist *args, u_int which, char *fmt, ...) r = vasprintf(&cp, fmt, ap); va_end(ap); if (r == -1) - fatal("replacearg: argument too long"); + fatal_f("argument too long"); + if (args->list == NULL || args->num >= args->nalloc) + fatal_f("arglist corrupt"); if (which >= args->num) - fatal("replacearg: tried to replace invalid arg %d >= %d", + fatal_f("tried to replace invalid arg %d >= %d", which, args->num); free(args->list[which]); args->list[which] = cp; @@ -1062,13 +1069,15 @@ freeargs(arglist *args) { u_int i; - if (args->list != NULL) { + if (args == NULL) + return; + if (args->list != NULL && args->num < args->nalloc) { for (i = 0; i < args->num; i++) free(args->list[i]); free(args->list); - args->nalloc = args->num = 0; - args->list = NULL; } + args->nalloc = args->num = 0; + args->list = NULL; } /* |