diff options
author | Jakub Jelen <jjelen@redhat.com> | 2019-09-24 13:23:25 +0200 |
---|---|---|
committer | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-09-30 16:00:19 +0200 |
commit | 6ccd84bae9296fc08e837431d4b616d800ce71a6 (patch) | |
tree | acc926d0bbc3e9ccc6834e6da94869213fe8d5ea | |
parent | e4c281c7ce383d8505331a30c2ec0f0cabeff202 (diff) | |
download | libssh-6ccd84bae9296fc08e837431d4b616d800ce71a6.tar.gz libssh-6ccd84bae9296fc08e837431d4b616d800ce71a6.tar.xz libssh-6ccd84bae9296fc08e837431d4b616d800ce71a6.zip |
buffer: Avoid use of uninitialized values
Fixes the following oss-fuzz bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17565
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit aff7c500d5721e35c998b1b3c78e450fe7ff986d)
-rw-r--r-- | src/buffer.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/src/buffer.c b/src/buffer.c index 1f38ae6f..d7d90d07 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -1119,6 +1119,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, goto cleanup; } + rc = SSH_ERROR; switch (*p) { case 'b': o.byte = va_arg(ap, uint8_t *); @@ -1128,20 +1129,26 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, case 'w': o.word = va_arg(ap, uint16_t *); rlen = ssh_buffer_get_data(buffer, o.word, sizeof(uint16_t)); - *o.word = ntohs(*o.word); - rc = rlen==2 ? SSH_OK : SSH_ERROR; + if (rlen == 2) { + *o.word = ntohs(*o.word); + rc = SSH_OK; + } break; case 'd': o.dword = va_arg(ap, uint32_t *); rlen = ssh_buffer_get_u32(buffer, o.dword); - *o.dword = ntohl(*o.dword); - rc = rlen==4 ? SSH_OK : SSH_ERROR; + if (rlen == 4) { + *o.dword = ntohl(*o.dword); + rc = SSH_OK; + } break; case 'q': o.qword = va_arg(ap, uint64_t*); rlen = ssh_buffer_get_u64(buffer, o.qword); - *o.qword = ntohll(*o.qword); - rc = rlen==8 ? SSH_OK : SSH_ERROR; + if (rlen == 8) { + *o.qword = ntohll(*o.qword); + rc = SSH_OK; + } break; case 'B': o.bignum = va_arg(ap, bignum *); |