diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2012-10-05 11:39:47 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:11:03 +0100 |
commit | b485463197cd220aa654e7fc34a18d68af37e6e7 (patch) | |
tree | ef2ee61394ca1562598b2fe5d8f2447724148b4c | |
parent | 64fca8a7ed83c3315781a77aac1ea36d52ff0c7e (diff) | |
download | libssh-b485463197cd220aa654e7fc34a18d68af37e6e7.tar.gz libssh-b485463197cd220aa654e7fc34a18d68af37e6e7.tar.xz libssh-b485463197cd220aa654e7fc34a18d68af37e6e7.zip |
CVE-2012-4560: Fix a write one past the end of 'buf'.
-rw-r--r-- | src/misc.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -719,7 +719,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { if (*p != '%') { buf[i] = *p; i++; - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { + free(r); return NULL; } buf[i] = '\0'; @@ -771,7 +772,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { } i += strlen(x); - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { ssh_set_error(session, SSH_FATAL, "String too long"); free(x); |