diff options
author | milo <milo.sshiva@gmail.com> | 2009-08-07 12:13:29 +0200 |
---|---|---|
committer | Andreas Schneider <mail@cynapses.org> | 2009-08-07 12:49:55 +0200 |
commit | 3ad559cc231bf6afb1eeb333a854a64c50400e2c (patch) | |
tree | 3a4ddd04080c668526998298d5ddaa11536ee1bf | |
parent | ec02ce0ec211f7935643b65fb489ad0c6cfde7e8 (diff) | |
download | libssh-3ad559cc231bf6afb1eeb333a854a64c50400e2c.tar.gz libssh-3ad559cc231bf6afb1eeb333a854a64c50400e2c.tar.xz libssh-3ad559cc231bf6afb1eeb333a854a64c50400e2c.zip |
Fix buffer overflow in generate_cookie()
Signed-off-by: Andreas Schneider <mail@cynapses.org>
-rw-r--r-- | libssh/channels.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libssh/channels.c b/libssh/channels.c index ad679ce5..84a222eb 100644 --- a/libssh/channels.c +++ b/libssh/channels.c @@ -1257,8 +1257,9 @@ int channel_request_sftp( ssh_channel channel){ return channel_request_subsystem(channel, "sftp"); } -static void generate_cookie(char *s) { +static ssh_string generate_cookie(void) { static const char *hex = "0123456789abcdef"; + char s[36]; int i; srand ((unsigned int)time(NULL)); @@ -1266,6 +1267,7 @@ static void generate_cookie(char *s) { s[i] = hex[rand() % 16]; } s[32] = '\0'; + return string_from_char(s); } /** @@ -1296,7 +1298,6 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char * ssh_buffer buffer = NULL; ssh_string p = NULL; ssh_string c = NULL; - char s[32]; int rc = SSH_ERROR; buffer = buffer_new(); @@ -1312,8 +1313,7 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char * if (cookie) { c = string_from_char(cookie); } else { - generate_cookie(s); - c = string_from_char(s); + c = generate_cookie(); } if (c == NULL) { goto error; |