summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2012-10-05 11:39:47 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:11:03 +0100
commitb485463197cd220aa654e7fc34a18d68af37e6e7 (patch)
treeef2ee61394ca1562598b2fe5d8f2447724148b4c
parent64fca8a7ed83c3315781a77aac1ea36d52ff0c7e (diff)
downloadlibssh-b485463197cd220aa654e7fc34a18d68af37e6e7.tar.gz
libssh-b485463197cd220aa654e7fc34a18d68af37e6e7.tar.xz
libssh-b485463197cd220aa654e7fc34a18d68af37e6e7.zip
CVE-2012-4560: Fix a write one past the end of 'buf'.
-rw-r--r--src/misc.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/misc.c b/src/misc.c
index 62230354..199018fb 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -719,7 +719,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
if (*p != '%') {
buf[i] = *p;
i++;
- if (i > MAX_BUF_SIZE) {
+ if (i >= MAX_BUF_SIZE) {
+ free(r);
return NULL;
}
buf[i] = '\0';
@@ -771,7 +772,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
}
i += strlen(x);
- if (i > MAX_BUF_SIZE) {
+ if (i >= MAX_BUF_SIZE) {
ssh_set_error(session, SSH_FATAL,
"String too long");
free(x);