Bug 425 - Integer overflow in mm_zalloc
Summary: Integer overflow in mm_zalloc
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Miscellaneous (show other bugs)
Version: -current
Hardware: All All
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-11-05 04:44 AEDT by Jan Echternach
Modified: 2004-04-14 12:24 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Echternach 2002-11-05 04:44:09 AEDT 
3.5p1 is better than 3.4p1, but still not perfect (on platforms where
size_t is larger than u_int).  This patch should fix it, although
I can't test it:

--- openssh-3.5p1/monitor.c-orig        Fri Sep 27 05:26:02 2002
+++ openssh-3.5p1/monitor.c     Mon Nov  4 18:06:24 2002
@@ -1551,7 +1551,7 @@
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
-       size_t len = size * ncount;
+       size_t len = (size_t) size * ncount;
        void *address;
 
        if (len == 0 || ncount > SIZE_T_MAX / size)
Comment 1 Markus Friedl 2002-11-06 06:43:46 AEDT 
thanks, applied
Comment 2 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED