[Bug 425] New: Integer overflow in mm_zalloc
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Nov 5 04:44:17 EST 2002
http://bugzilla.mindrot.org/show_bug.cgi?id=425
Summary: Integer overflow in mm_zalloc
Product: Portable OpenSSH
Version: 3.5p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Miscellaneous
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: siw at goneko.de
3.5p1 is better than 3.4p1, but still not perfect (on platforms where
size_t is larger than u_int). This patch should fix it, although
I can't test it:
--- openssh-3.5p1/monitor.c-orig Fri Sep 27 05:26:02 2002
+++ openssh-3.5p1/monitor.c Mon Nov 4 18:06:24 2002
@@ -1551,7 +1551,7 @@
void *
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
- size_t len = size * ncount;
+ size_t len = (size_t) size * ncount;
void *address;
if (len == 0 || ncount > SIZE_T_MAX / size)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list