bugzilla-daemon at mindrot.org
2002-Nov-04 17:44 UTC
[Bug 425] New: Integer overflow in mm_zalloc
http://bugzilla.mindrot.org/show_bug.cgi?id=425 Summary: Integer overflow in mm_zalloc Product: Portable OpenSSH Version: 3.5p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: siw at goneko.de 3.5p1 is better than 3.4p1, but still not perfect (on platforms where size_t is larger than u_int). This patch should fix it, although I can't test it: --- openssh-3.5p1/monitor.c-orig Fri Sep 27 05:26:02 2002 +++ openssh-3.5p1/monitor.c Mon Nov 4 18:06:24 2002 @@ -1551,7 +1551,7 @@ void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - size_t len = size * ncount; + size_t len = (size_t) size * ncount; void *address; if (len == 0 || ncount > SIZE_T_MAX / size) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.