From: djm Date: Wed, 27 Jul 2016 23:18:12 +0000 (+0000) Subject: better bounds check on iovcnt (we only ever use fixed, positive values) X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=df16cf54555b3b9eb37256ac013b5dd3c9fef23f;p=openbsd better bounds check on iovcnt (we only ever use fixed, positive values) --- diff --git a/usr.bin/ssh/atomicio.c b/usr.bin/ssh/atomicio.c index 4a391958aa5..58916384919 100644 --- a/usr.bin/ssh/atomicio.c +++ b/usr.bin/ssh/atomicio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */ +/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */ /* * Copyright (c) 2006 Damien Miller. All rights reserved. * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. @@ -94,12 +94,12 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd, struct iovec iov_array[IOV_MAX], *iov = iov_array; struct pollfd pfd; - if (iovcnt > IOV_MAX) { + if (iovcnt < 0 || iovcnt > IOV_MAX) { errno = EINVAL; return 0; } /* Make a copy of the iov array because we may modify it below */ - memcpy(iov, _iov, iovcnt * sizeof(*_iov)); + memcpy(iov, _iov, (size_t)iovcnt * sizeof(*_iov)); pfd.fd = fd; pfd.events = f == readv ? POLLIN : POLLOUT;