diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:02:57 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:11:00 +0100 |
commit | e3d9501b31a11b427afe1cc1cba5208adc2c3c39 (patch) | |
tree | 9eec75f3fed0596faa27e72db92ac375430c3813 | |
parent | 1699adfa036ffc66c62fdbb784610445cbebfc6e (diff) | |
download | libssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.tar.gz libssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.tar.xz libssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.zip |
CVE-2012-4562: Fix possible string related integer overflows.
-rw-r--r-- | src/string.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/src/string.c b/src/string.c index ff633acd..24be06c8 100644 --- a/src/string.c +++ b/src/string.c @@ -22,6 +22,7 @@ */ #include <errno.h> +#include <limits.h> #include <stdlib.h> #include <string.h> @@ -52,7 +53,11 @@ struct ssh_string_struct *ssh_string_new(size_t size) { struct ssh_string_struct *str = NULL; - str = malloc(size + 4); + if (size > UINT_MAX - sizeof(struct ssh_string_struct)) { + return NULL; + } + + str = malloc(sizeof(struct ssh_string_struct) + size); if (str == NULL) { return NULL; } @@ -142,16 +147,22 @@ size_t ssh_string_len(struct ssh_string_struct *s) { char *ssh_string_to_char(struct ssh_string_struct *s) { size_t len; char *new; - if(s==NULL || s->string == NULL) - return NULL; - len = ntohl(s->size) + 1; - new = malloc(len); + if (s == NULL || s->string == NULL) { + return NULL; + } + len = ssh_string_len(s); + if (len + 1 < len) { + return NULL; + } + + new = malloc(len + 1); if (new == NULL) { return NULL; } - memcpy(new, s->string, len - 1); - new[len - 1] = '\0'; + memcpy(new, s->string, len); + new[len] = '\0'; + return new; } |