summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-11-25 23:02:57 -0500
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:11:00 +0100
commite3d9501b31a11b427afe1cc1cba5208adc2c3c39 (patch)
tree9eec75f3fed0596faa27e72db92ac375430c3813
parent1699adfa036ffc66c62fdbb784610445cbebfc6e (diff)
downloadlibssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.tar.gz
libssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.tar.xz
libssh-e3d9501b31a11b427afe1cc1cba5208adc2c3c39.zip
CVE-2012-4562: Fix possible string related integer overflows.
-rw-r--r--src/string.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/string.c b/src/string.c
index ff633acd..24be06c8 100644
--- a/src/string.c
+++ b/src/string.c
@@ -22,6 +22,7 @@
*/
#include <errno.h>
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -52,7 +53,11 @@
struct ssh_string_struct *ssh_string_new(size_t size) {
struct ssh_string_struct *str = NULL;
- str = malloc(size + 4);
+ if (size > UINT_MAX - sizeof(struct ssh_string_struct)) {
+ return NULL;
+ }
+
+ str = malloc(sizeof(struct ssh_string_struct) + size);
if (str == NULL) {
return NULL;
}
@@ -142,16 +147,22 @@ size_t ssh_string_len(struct ssh_string_struct *s) {
char *ssh_string_to_char(struct ssh_string_struct *s) {
size_t len;
char *new;
- if(s==NULL || s->string == NULL)
- return NULL;
- len = ntohl(s->size) + 1;
- new = malloc(len);
+ if (s == NULL || s->string == NULL) {
+ return NULL;
+ }
+ len = ssh_string_len(s);
+ if (len + 1 < len) {
+ return NULL;
+ }
+
+ new = malloc(len + 1);
if (new == NULL) {
return NULL;
}
- memcpy(new, s->string, len - 1);
- new[len - 1] = '\0';
+ memcpy(new, s->string, len);
+ new[len] = '\0';
+
return new;
}