diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2016-07-27 23:18:13 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2016-07-27 23:18:13 +0000 |
| commit | 0b20b4600d0487892b18062094d3a2138f2afed3 (patch) | |
| tree | a923a41352719f8e5f984c525261900693a46997 /usr.bin/ssh | |
| parent | 640b4842fb533a7999be3284884fed54bf17f8db (diff) | |
better bounds check on iovcnt (we only ever use fixed, positive values)
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/atomicio.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/usr.bin/ssh/atomicio.c b/usr.bin/ssh/atomicio.c index 4a391958aa5..58916384919 100644 --- a/usr.bin/ssh/atomicio.c +++ b/usr.bin/ssh/atomicio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */ +/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */ /* * Copyright (c) 2006 Damien Miller. All rights reserved. * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. @@ -94,12 +94,12 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd, struct iovec iov_array[IOV_MAX], *iov = iov_array; struct pollfd pfd; - if (iovcnt > IOV_MAX) { + if (iovcnt < 0 || iovcnt > IOV_MAX) { errno = EINVAL; return 0; } /* Make a copy of the iov array because we may modify it below */ - memcpy(iov, _iov, iovcnt * sizeof(*_iov)); + memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov)); pfd.fd = fd; pfd.events = f == readv ? POLLIN : POLLOUT; |