[openssh-commits] [openssh] 01/02: upstream commit

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit d7e7348e72f9b203189e3fffb75605afecba4fda
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jul 27 23:18:12 2016 +0000

    upstream commit
    
    better bounds check on iovcnt (we only ever use fixed,
    positive values)
    
    Upstream-ID: 9baa6eb5cd6e30c9dc7398e5fe853721a3a5bdee
---
 atomicio.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomicio.c b/atomicio.c
index b1ec234..f854a06 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */
+/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -107,12 +107,12 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
 	struct iovec iov_array[IOV_MAX], *iov = iov_array;
 	struct pollfd pfd;
 
-	if (iovcnt > IOV_MAX) {
+	if (iovcnt < 0 || iovcnt > IOV_MAX) {
 		errno = EINVAL;
 		return 0;
 	}
 	/* Make a copy of the iov array because we may modify it below */
-	memcpy(iov, _iov, iovcnt * sizeof(*_iov));
+	memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov));
 
 #ifndef BROKEN_READV_COMPARISON
 	pfd.fd = fd;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.