summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2012-10-12 11:35:20 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:10:57 +0100
commit1699adfa036ffc66c62fdbb784610445cbebfc6e (patch)
tree311f73e8c59bdd2b1c956b0d6492c9eb926ad534
parentdb81310d719878cc04b23e4033fbe19fa0b1f8a3 (diff)
downloadlibssh-1699adfa036ffc66c62fdbb784610445cbebfc6e.tar.gz
libssh-1699adfa036ffc66c62fdbb784610445cbebfc6e.tar.xz
libssh-1699adfa036ffc66c62fdbb784610445cbebfc6e.zip
CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().
If needed is bigger than the highest power of two or a which fits in an integer we will loop forever.
-rw-r--r--src/buffer.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/buffer.c b/src/buffer.c
index 3ffe6de3..aef7e44c 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -111,13 +111,18 @@ void ssh_buffer_free(struct ssh_buffer_struct *buffer) {
SAFE_FREE(buffer);
}
-static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) {
- int smallest = 1;
- char *new = NULL;
+static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) {
+ size_t smallest = 1;
+ char *new;
+
buffer_verify(buffer);
+
/* Find the smallest power of two which is greater or equal to needed */
while(smallest <= needed) {
- smallest <<= 1;
+ if (smallest == 0) {
+ return -1;
+ }
+ smallest <<= 1;
}
needed = smallest;
new = realloc(buffer->data, needed);