When (re)allocating space for an array of pointers to char, use

sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than sizeof(char)). It is possible that this buffer overflow is exploitable, but it was added after RELENG_5 forked and hasn't been MFCed, so this will not receive an advisory. Submitted by: Vitezslav Novy MFC after: 1 day
author: cperciva <cperciva@FreeBSD.org> 2005-09-19 18:43:11 +0000
committer: cperciva <cperciva@FreeBSD.org> 2005-09-19 18:43:11 +0000
commit: a257862d4b574dd3958622bbe9d606f532b79c6c (patch)
tree: a49151162fd35076951a92a968baf9fffd4dc955 /lib/libpam/modules
parent: 55be30560c859a87d8660f3d2a7459e590252782 (diff)
download: FreeBSD-src-a257862d4b574dd3958622bbe9d606f532b79c6c.zip
FreeBSD-src-a257862d4b574dd3958622bbe9d606f532b79c6c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index 620dc0d..e4a35ee 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -83,7 +83,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
 	for (envlen = 0; envlist[envlen] != NULL; ++envlen)
 		/* nothing */ ;
 	nitems = sizeof(env_items) / sizeof(*env_items);
-	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist);
+	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
 	if (tmp == NULL) {
 		openpam_free_envlist(envlist);
 		return (PAM_BUF_ERR);
author	cperciva <cperciva@FreeBSD.org>	2005-09-19 18:43:11 +0000
committer	cperciva <cperciva@FreeBSD.org>	2005-09-19 18:43:11 +0000
commit	a257862d4b574dd3958622bbe9d606f532b79c6c (patch)
tree	a49151162fd35076951a92a968baf9fffd4dc955 /lib/libpam/modules
parent	55be30560c859a87d8660f3d2a7459e590252782 (diff)
download	FreeBSD-src-a257862d4b574dd3958622bbe9d606f532b79c6c.zip FreeBSD-src-a257862d4b574dd3958622bbe9d606f532b79c6c.tar.gz