diff options
author | Colin Percival <cperciva@FreeBSD.org> | 2005-09-19 18:43:11 +0000 |
---|---|---|
committer | Colin Percival <cperciva@FreeBSD.org> | 2005-09-19 18:43:11 +0000 |
commit | 25284732cd6f6068c8e05fe9e3a0b1b9f1e2b5f4 (patch) | |
tree | a49151162fd35076951a92a968baf9fffd4dc955 /lib/libpam | |
parent | e26a9b9fffb04ff5b25eff7eab8c62ae025f3c28 (diff) | |
download | src-25284732cd6f6068c8e05fe9e3a0b1b9f1e2b5f4.tar.gz src-25284732cd6f6068c8e05fe9e3a0b1b9f1e2b5f4.zip |
When (re)allocating space for an array of pointers to char, use
sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than
sizeof(char)).
It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.
Submitted by: Vitezslav Novy
MFC after: 1 day
Notes
Notes:
svn path=/head/; revision=150339
Diffstat (limited to 'lib/libpam')
-rw-r--r-- | lib/libpam/modules/pam_exec/pam_exec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c index 620dc0d40e03..e4a35ee7c4b3 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.c +++ b/lib/libpam/modules/pam_exec/pam_exec.c @@ -83,7 +83,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, for (envlen = 0; envlist[envlen] != NULL; ++envlen) /* nothing */ ; nitems = sizeof(env_items) / sizeof(*env_items); - tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist); + tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist)); if (tmp == NULL) { openpam_free_envlist(envlist); return (PAM_BUF_ERR); |