aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2017-02-23 16:24:17 +0100
committerAndreas Schneider <asn@cryptomilk.org>2017-04-13 16:12:27 +0200
commit57550e6211c19c634a319bed59d39b28d020dcd1 (patch)
treeaa6735e4917b00715d73b740bd06131f6d9a38a6
parent34bdc1ca7871e8e9258077411edd516c8de55299 (diff)
downloadlibssh-57550e6211c19c634a319bed59d39b28d020dcd1.tar.gz
libssh-57550e6211c19c634a319bed59d39b28d020dcd1.tar.xz
libssh-57550e6211c19c634a319bed59d39b28d020dcd1.zip
buffer: Validate the length before before memory allocation
Check if the size the other party sent is a valid size in the transmitted buffer. Thanks to Alex Gaynor for finding and reporting the issue. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/buffer.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/src/buffer.c b/src/buffer.c
index 0c776698..d1a727ae 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -848,10 +848,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
char **cstring;
void **data;
} o;
- size_t len, rlen;
+ size_t len, rlen, max_len;
va_list ap_copy;
int count;
+ max_len = ssh_buffer_get_len(buffer);
+
/* copy the argument list in case a rollback is needed */
va_copy(ap_copy, ap);
@@ -903,10 +905,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
break;
}
len = ntohl(u32len);
- if (len > UINT_MAX - 1){
+ if (len > max_len - 1) {
rc = SSH_ERROR;
break;
}
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
+
*o.cstring = malloc(len + 1);
if (*o.cstring == NULL){
rc = SSH_ERROR;
@@ -925,6 +933,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
}
case 'P':
len = va_arg(ap, size_t);
+ if (len > max_len - 1) {
+ rc = SSH_ERROR;
+ break;
+ }
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
o.data = va_arg(ap, void **);
count++;