From a257862d4b574dd3958622bbe9d606f532b79c6c Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@FreeBSD.org>
Date: Mon, 19 Sep 2005 18:43:11 +0000
Subject: When (re)allocating space for an array of pointers to char, use
 sizeof(*list), not sizeof(**list).  (i.e., sizeof(pointer) rather than
 sizeof(char)).

It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.

Submitted by:	Vitezslav Novy
MFC after:	1 day
---
 lib/libpam/modules/pam_exec/pam_exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/libpam/modules')

diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index 620dc0d..e4a35ee 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -83,7 +83,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
 	for (envlen = 0; envlist[envlen] != NULL; ++envlen)
 		/* nothing */ ;
 	nitems = sizeof(env_items) / sizeof(*env_items);
-	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist);
+	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
 	if (tmp == NULL) {
 		openpam_free_envlist(envlist);
 		return (PAM_BUF_ERR);
-- 
cgit v1.1