Bug 425

Summary: Integer overflow in mm_zalloc
Product: Portable OpenSSH Reporter: Jan Echternach <siw>
Component: MiscellaneousAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: All   

Description Jan Echternach 2002-11-05 04:44:09 AEDT 
3.5p1 is better than 3.4p1, but still not perfect (on platforms where
size_t is larger than u_int).  This patch should fix it, although
I can't test it:

--- openssh-3.5p1/monitor.c-orig        Fri Sep 27 05:26:02 2002
+++ openssh-3.5p1/monitor.c     Mon Nov  4 18:06:24 2002
@@ -1551,7 +1551,7 @@
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
-       size_t len = size * ncount;
+       size_t len = (size_t) size * ncount;
        void *address;
 
        if (len == 0 || ncount > SIZE_T_MAX / size)
Comment 1 Markus Friedl 2002-11-06 06:43:46 AEDT 
thanks, applied
Comment 2 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED