Small bug in mux_master_read_cb()

Howard Chu hyc at
Thu Jun 17 10:01:00 EST 2010

I'm looking at the code from CVS as of May 21. The statement to allocate the 
mux state is allocating the size of a pointer, instead of the size of the 
struct being pointed to. The bug is benign in the original code because the 
struct has only an int element inside it, but it would corrupt memory if the 
struct were to be extended.

Simple fix here:

diff --git a/mux.c b/mux.c
index 3f5babc..f151021 100644
--- a/mux.c
+++ b/mux.c
@@ -931,7 +976,7 @@ mux_master_read_cb(Channel *c)

     /* Setup ctx and  */
     if (c->mux_ctx == NULL) {
-       state = xcalloc(1, sizeof(state));
+       state = xcalloc(1, sizeof(*state));
         c->mux_ctx = state;
             mux_master_control_cleanup_cb, 0);

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

More information about the openssh-unix-dev mailing list