Subject: Re: CVS commit: src/crypto/dist/ssh
To: David Young <dyoung@pobox.com>
From: Simon J. Gerraty <sjg@crufty.net>
List: source-changes
Date: 09/16/2003 12:04:36
>> Modified Files:
>> 	src/crypto/dist/ssh: buffer.c
>> 
>> Log Message:
>> Do not record expanded size before attempting to reallocate the associated
>> memory. From OpenBSD, via FreeBSD.

>What difference does this patch make? I just do not see it.

Just looking at buffer.c, yes the patch looks pointless.
Though, just looking at buffer.c you'd also call the xrealloc use
a bug.

Anyway, the problem is that fatal() can call a bunch of cleanup routines
one of which may process buffer which before this patch could be 
claiming to be bigger than it is.  It may not be exploitable (or it may)
but its better to fix.  Of course one could argue that fatal()
should do little more than print an error and die.

--sjg