summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-11-25 23:02:06 -0500
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:10:47 +0100
commit8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a (patch)
tree04b6b346133bca97a98f648cc0002237232299be
parent2ee6282fdda239d75d68c8c82c24a9de31bcb712 (diff)
downloadlibssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.tar.gz
libssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.tar.xz
libssh-8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a.zip
CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().
No exploit known, but it is better to check the string length.
-rw-r--r--src/dh.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/dh.c b/src/dh.c
index ec291d33..9b9d2039 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -44,6 +44,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#ifndef _WIN32
#include <netinet/in.h>
@@ -194,6 +195,9 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
char *hexa = NULL;
size_t i;
+ if (len > (UINT_MAX - 1) / 3)
+ return NULL;
+
hexa = malloc(len * 3 + 1);
if (hexa == NULL) {
return NULL;