diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2006-03-25 01:13:24 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2006-03-25 01:13:24 +0000 |
| commit | 9a8aaa01f21a60e2f5f372b9722e363b36254df9 (patch) | |
| tree | 2f9a74072ee701d5c60ccf0b6c31f22ac1be3a57 /usr.bin/ssh/sftp-server.c | |
| parent | 2deaa1649526d4ce68eed29e66d89d32fea75950 (diff) | |
change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).
realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@
Diffstat (limited to 'usr.bin/ssh/sftp-server.c')
| -rw-r--r-- | usr.bin/ssh/sftp-server.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c index 7ea3eda68c2..d2827204585 100644 --- a/usr.bin/ssh/sftp-server.c +++ b/usr.bin/ssh/sftp-server.c @@ -700,7 +700,7 @@ process_readdir(void) while ((dp = readdir(dirp)) != NULL) { if (count >= nstats) { nstats *= 2; - stats = xrealloc(stats, nstats * sizeof(Stat)); + stats = xrealloc(stats, nstats, sizeof(Stat)); } /* XXX OVERFLOW ? */ snprintf(pathname, sizeof pathname, "%s%s%s", path, |