summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <mail@cynapses.org>2009-09-08 11:36:06 +0200
committerAndreas Schneider <mail@cynapses.org>2009-09-08 11:36:06 +0200
commitadd2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9 (patch)
treecc542c8a490843231a1adda5f43ea3e94e3ad5dd
parent26cdf0d99422ab1490abcdce65fcfd219d763947 (diff)
downloadlibssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.tar.gz
libssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.tar.xz
libssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.zip
Fix an integer overflow in buffer_get_data().
Thanks to Orange Labs for the report.
-rw-r--r--libssh/buffer.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libssh/buffer.c b/libssh/buffer.c
index effc52c2..06859583 100644
--- a/libssh/buffer.c
+++ b/libssh/buffer.c
@@ -298,8 +298,13 @@ u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){
* \returns len otherwise.
*/
u32 buffer_get_data(struct buffer_struct *buffer, void *data, u32 len){
- if(buffer->pos+len>buffer->used)
- return 0; /*no enough data in buffer */
+ /*
+ * Check for a integer overflow first, then check if not enough data is in
+ * the buffer.
+ */
+ if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+ return 0;
+ }
memcpy(data,buffer->data+buffer->pos,len);
buffer->pos+=len;
return len; /* no yet support for partial reads (is it really needed ?? ) */