- djm@cvs.openbsd.org 2006/04/16 07:59:00

[atomicio.c] reorder sanity test so that it cannot dereference past the end of the iov array; well spotted canacar@!
2025-07-31 01:35:11 +02:00 · 2006-04-23 12:06:49 +10:00 · 2006-04-23 12:06:49 +10:00 · b5ea7e7c03
commit b5ea7e7c03
parent 58ca98bfe1
2 changed files with 7 additions and 3 deletions
--- a/6
+++ b/6
@ -37,6 +37,10 @@
     commands, which would result in a separate tiny packet on the wire by
     using atomiciov(writev, ...) to write the length and the command in one
     pass; ok deraadt@
   - djm@cvs.openbsd.org 2006/04/16 07:59:00
     [atomicio.c]
     reorder sanity test so that it cannot dereference past the end of the
     iov array; well spotted canacar@!
 20060421
 - (djm) [Makefile.in configure.ac session.c sshpty.c]
@ -4548,4 +4552,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4309 2006/04/23 02:06:35 djm Exp $
+$Id: ChangeLog,v 1.4310 2006/04/23 02:06:49 djm Exp $
--- a/atomicio.c
+++ b/atomicio.c
@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.18 2006/04/16 00:52:55 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.19 2006/04/16 07:59:00 djm Exp $ */
 /*
 * Copyright (c) 2006 Damien Miller. All rights reserved.
 * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@ -99,7 +99,7 @@ atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
 				iovcnt--;
 			}
 			/* This shouldn't happen... */
-			if (rem > iov[0].iov_len || (rem > 0 && iovcnt <= 0)) {
+			if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
 				errno = EFAULT;
 				return 0;
 			}