aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2015-01-14 11:16:59 +0100
committerAndreas Schneider <asn@cryptomilk.org>2015-01-14 15:21:40 +0100
commit4de6a708ad29090d2de3d781c509c880d7cdd232 (patch)
treee422207ebd144a8a876b3b48025c50c2788c8302
parentfd3b1f63a135b13f90af5c6e6516ecfdbfa540e0 (diff)
downloadlibssh-4de6a708ad29090d2de3d781c509c880d7cdd232.tar.gz
libssh-4de6a708ad29090d2de3d781c509c880d7cdd232.tar.xz
libssh-4de6a708ad29090d2de3d781c509c880d7cdd232.zip
sftp: Fix a possible integer overflow.
CID: #1238630 Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Aris Adamantiadis <aris@0xbadc0de.be> (cherry picked from commit af0dd3fb0208bf7bded0533020682c65b94544eb)
-rw-r--r--src/sftp.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/sftp.c b/src/sftp.c
index 15984df9..be406b56 100644
--- a/src/sftp.c
+++ b/src/sftp.c
@@ -340,7 +340,6 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
return NULL;
}
- size = ntohl(size);
r=ssh_channel_read(sftp->channel, buffer, 1, 0);
if (r <= 0) {
/* TODO: check if there are cases where an error needs to be set here */
@@ -350,7 +349,12 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
}
buffer_add_data(packet->payload, buffer, r);
buffer_get_u8(packet->payload, &packet->type);
- size=size-1;
+
+ size = ntohl(size);
+ if (size == 0) {
+ return packet;
+ }
+ size--;
while (size>0){
r=ssh_channel_read(sftp->channel,buffer,
sizeof(buffer)>size ? size:sizeof(buffer),0);