[Bug 425] New: Integer overflow in mm_zalloc

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 5 04:44:17 EST 2002


           Summary: Integer overflow in mm_zalloc
           Product: Portable OpenSSH
           Version: 3.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: siw at goneko.de

3.5p1 is better than 3.4p1, but still not perfect (on platforms where
size_t is larger than u_int).  This patch should fix it, although
I can't test it:

--- openssh-3.5p1/monitor.c-orig        Fri Sep 27 05:26:02 2002
+++ openssh-3.5p1/monitor.c     Mon Nov  4 18:06:24 2002
@@ -1551,7 +1551,7 @@
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
-       size_t len = size * ncount;
+       size_t len = (size_t) size * ncount;
        void *address;
        if (len == 0 || ncount > SIZE_T_MAX / size)

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list