diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2017-02-23 16:24:17 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2017-04-13 16:12:27 +0200 |
commit | 57550e6211c19c634a319bed59d39b28d020dcd1 (patch) | |
tree | aa6735e4917b00715d73b740bd06131f6d9a38a6 | |
parent | 34bdc1ca7871e8e9258077411edd516c8de55299 (diff) | |
download | libssh-57550e6211c19c634a319bed59d39b28d020dcd1.tar.gz libssh-57550e6211c19c634a319bed59d39b28d020dcd1.tar.xz libssh-57550e6211c19c634a319bed59d39b28d020dcd1.zip |
buffer: Validate the length before before memory allocation
Check if the size the other party sent is a valid size in the
transmitted buffer.
Thanks to Alex Gaynor for finding and reporting the issue.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | src/buffer.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/src/buffer.c b/src/buffer.c index 0c776698..d1a727ae 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -848,10 +848,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, char **cstring; void **data; } o; - size_t len, rlen; + size_t len, rlen, max_len; va_list ap_copy; int count; + max_len = ssh_buffer_get_len(buffer); + /* copy the argument list in case a rollback is needed */ va_copy(ap_copy, ap); @@ -903,10 +905,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, break; } len = ntohl(u32len); - if (len > UINT_MAX - 1){ + if (len > max_len - 1) { rc = SSH_ERROR; break; } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } + *o.cstring = malloc(len + 1); if (*o.cstring == NULL){ rc = SSH_ERROR; @@ -925,6 +933,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, } case 'P': len = va_arg(ap, size_t); + if (len > max_len - 1) { + rc = SSH_ERROR; + break; + } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } o.data = va_arg(ap, void **); count++; |