ssh.c - allocated wrong size for sensitive_data.keys?
Ángel González
keisial at gmail.com
Fri Aug 16 10:09:45 EST 2013
On 14/08/13 11:23, Petr Lautrbach wrote:
> Hello,
>
> There's a memory allocation for sensitive_data.keys in ssh.c:848 which
> uses size of Key instead of Key*.
> This is probably harmless but seems to be wrong.
>
> --- a/ssh.c
> +++ b/ssh.c
> @@ -846,7 +846,7 @@ main(int ac, char **av)
> options.hostbased_authentication) {
> sensitive_data.nkeys = 7;
> sensitive_data.keys = xcalloc(sensitive_data.nkeys,
> - sizeof(Key));
> + sizeof(Key *));
> for (i = 0; i < sensitive_data.nkeys; i++)
> sensitive_data.keys[i] = NULL;
>
>
> Petr
I agree with you. Moreover, why is the loop below? The calloc should
take care of it.
And if we are on one of those weird machines where NULL is not
represented by zero bytes (are there still
boxes like this out there?), when the xcalloc can be a
xmalloc(sensitive_data.nkeys * sizeof(Key*));
And if this wasn't enough, the next lines set them again* Those 7 slots
are written thrice between line 819 and 842.
(plus a fourth time on 850-865, but that's conditional to the previous
result)
* Ok... it would need a couple of #else for the case where
OPENSSL_HAS_ECC is not defined.
More information about the openssh-unix-dev
mailing list