thr3ads.net - openssh unix dev - [Bug 425] New: Integer overflow in mm

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at mindrot.org

2002-Nov-04 17:44 UTC

[Bug 425] New: Integer overflow in mm_zalloc

http://bugzilla.mindrot.org/show_bug.cgi?id=425

           Summary: Integer overflow in mm_zalloc
           Product: Portable OpenSSH
           Version: 3.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: siw at goneko.de


3.5p1 is better than 3.4p1, but still not perfect (on platforms where
size_t is larger than u_int).  This patch should fix it, although
I can't test it:

--- openssh-3.5p1/monitor.c-orig        Fri Sep 27 05:26:02 2002
+++ openssh-3.5p1/monitor.c     Mon Nov  4 18:06:24 2002
@@ -1551,7 +1551,7 @@
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
-       size_t len = size * ncount;
+       size_t len = (size_t) size * ncount;
        void *address;
 
        if (len == 0 || ncount > SIZE_T_MAX / size)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Apparently Analagous Threads

Search for more maybe matching threads

openssh unix dev - Nov 2002 - [Bug 425] New: Integer overflow in mm_zalloc

[Bug 425] New: Integer overflow in mm_zalloc

Apparently Analagous Threads

Wisdom of the Ancients