Small bug in mux_master_read_cb()

Damien Miller djm at mindrot.org
Thu Jun 17 17:07:38 EST 2010


applied, thanks.

On Wed, 16 Jun 2010, Howard Chu wrote:

> I'm looking at the code from CVS as of May 21. The statement to allocate the
> mux state is allocating the size of a pointer, instead of the size of the
> struct being pointed to. The bug is benign in the original code because the
> struct has only an int element inside it, but it would corrupt memory if the
> struct were to be extended.
> 
> Simple fix here:
> 
> diff --git a/mux.c b/mux.c
> index 3f5babc..f151021 100644
> --- a/mux.c
> +++ b/mux.c
> @@ -931,7 +976,7 @@ mux_master_read_cb(Channel *c)
> 
>     /* Setup ctx and  */
>     if (c->mux_ctx == NULL) {
> -       state = xcalloc(1, sizeof(state));
> +       state = xcalloc(1, sizeof(*state));
>         c->mux_ctx = state;
>         channel_register_cleanup(c->self,
>             mux_master_control_cleanup_cb, 0);
> 
> 
> -- 
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list