From: djm Date: Sun, 23 Apr 2006 02:06:49 +0000 (+0000) Subject: - djm@cvs.openbsd.org 2006/04/16 07:59:00 X-Git-Tag: V_4_4_P1~258 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/7bccebd0f1225014c3525494e4359f9c43f47164 - djm@cvs.openbsd.org 2006/04/16 07:59:00 [atomicio.c] reorder sanity test so that it cannot dereference past the end of the iov array; well spotted canacar@! --- diff --git a/ChangeLog b/ChangeLog index 89fce1a2..b36cf319 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ commands, which would result in a separate tiny packet on the wire by using atomiciov(writev, ...) to write the length and the command in one pass; ok deraadt@ + - djm@cvs.openbsd.org 2006/04/16 07:59:00 + [atomicio.c] + reorder sanity test so that it cannot dereference past the end of the + iov array; well spotted canacar@! 20060421 - (djm) [Makefile.in configure.ac session.c sshpty.c] diff --git a/atomicio.c b/atomicio.c index de5363aa..3939785d 100644 --- a/atomicio.c +++ b/atomicio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atomicio.c,v 1.18 2006/04/16 00:52:55 djm Exp $ */ +/* $OpenBSD: atomicio.c,v 1.19 2006/04/16 07:59:00 djm Exp $ */ /* * Copyright (c) 2006 Damien Miller. All rights reserved. * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. @@ -99,7 +99,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd, iovcnt--; } /* This shouldn't happen... */ - if (rem > iov[0].iov_len || (rem > 0 && iovcnt <= 0)) { + if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) { errno = EFAULT; return 0; }