When (re)allocating space for an array of pointers to char, use

sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than sizeof(char)). It is possible that this buffer overflow is exploitable, but it was added after RELENG_5 forked and hasn't been MFCed, so this will not receive an advisory. Submitted by: Vitezslav Novy MFC after: 1 day
2005-09-19 18:43:11 +00:00 · 2005-09-19 18:43:11 +00:00 · 25284732cd
commit 25284732cd
parent e26a9b9fff
1 changed files with 1 additions and 1 deletions
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@ -83,7 +83,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
 	for (envlen = 0; envlist[envlen] != NULL; ++envlen)
 		/* nothing */ ;
 	nitems = sizeof(env_items) / sizeof(*env_items);
-	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist);
+	tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
 	if (tmp == NULL) {
 		openpam_free_envlist(envlist);
 		return (PAM_BUF_ERR);