diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:02:06 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:10:47 +0100 |
commit | 8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a (patch) | |
tree | 04b6b346133bca97a98f648cc0002237232299be | |
parent | 2ee6282fdda239d75d68c8c82c24a9de31bcb712 (diff) | |
download | libssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.tar.gz libssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.tar.xz libssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.zip |
CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().
No exploit known, but it is better to check the string length.
-rw-r--r-- | src/dh.c | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -44,6 +44,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #ifndef _WIN32 #include <netinet/in.h> @@ -194,6 +195,9 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) { char *hexa = NULL; size_t i; + if (len > (UINT_MAX - 1) / 3) + return NULL; + hexa = malloc(len * 3 + 1); if (hexa == NULL) { return NULL; |