How buggy this little piece of code could be? Repair strnvis() buffersize
authorHasso Tepper <hasso@dragonflybsd.org>
Sat, 4 Oct 2008 09:57:14 +0000 (09:57 +0000)
committerHasso Tepper <hasso@dragonflybsd.org>
Sat, 4 Oct 2008 09:57:14 +0000 (09:57 +0000)
of 4*n+1, with termination gauranteed by the function.

Obtained-from: OpenBSD

crypto/openssh-5/sshconnect2.c

index 868f269..f640592 100644 (file)
@@ -386,8 +386,8 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
        if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
                if (len > 65536)
                        len = 65536;
-               msg = xmalloc(len * 4); /* max expansion from strnvis() */
-               strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
+               msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+               strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
                fprintf(stderr, "%s", msg);
                xfree(msg);
        }