From 5f82fbca88963f2a87ef0cff1d889e09ae79b99d Mon Sep 17 00:00:00 2001 From: Hasso Tepper Date: Sat, 4 Oct 2008 09:57:14 +0000 Subject: [PATCH 1/1] How buggy this little piece of code could be? Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the function. Obtained-from: OpenBSD --- crypto/openssh-5/sshconnect2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/openssh-5/sshconnect2.c b/crypto/openssh-5/sshconnect2.c index 868f26931a..f6405922f0 100644 --- a/crypto/openssh-5/sshconnect2.c +++ b/crypto/openssh-5/sshconnect2.c @@ -386,8 +386,8 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) { if (len > 65536) len = 65536; - msg = xmalloc(len * 4); /* max expansion from strnvis() */ - strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL); + msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ + strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL); fprintf(stderr, "%s", msg); xfree(msg); } -- 2.41.0