aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2017-02-23 16:24:17 +0100
committerAndreas Schneider <asn@cryptomilk.org>2017-04-13 16:25:40 +0200
commit68b7ca6e925f5744f5c52c56094041d63789efaa (patch)
tree9cb212a0c0b845f225eca0f3ae60b0f8f4805c59
parentc165c396de879b24f19c3a942a32795a8be351d7 (diff)
downloadlibssh-68b7ca6e925f5744f5c52c56094041d63789efaa.tar.gz
libssh-68b7ca6e925f5744f5c52c56094041d63789efaa.tar.xz
libssh-68b7ca6e925f5744f5c52c56094041d63789efaa.zip
buffer: Validate the length before before memory allocation
Check if the size the other party sent is a valid size in the transmitted buffer. Thanks to Alex Gaynor for finding and reporting the issue. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/buffer.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/src/buffer.c b/src/buffer.c
index db21b345..2da6758a 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -854,10 +854,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
char **cstring;
void **data;
} o;
- size_t len, rlen;
+ size_t len, rlen, max_len;
va_list ap_copy;
int count;
+ max_len = ssh_buffer_get_len(buffer);
+
/* copy the argument list in case a rollback is needed */
va_copy(ap_copy, ap);
@@ -909,10 +911,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
break;
}
len = ntohl(u32len);
- if (len > UINT_MAX - 1){
+ if (len > max_len - 1) {
rc = SSH_ERROR;
break;
}
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
+
*o.cstring = malloc(len + 1);
if (*o.cstring == NULL){
rc = SSH_ERROR;
@@ -931,6 +939,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
}
case 'P':
len = va_arg(ap, size_t);
+ if (len > max_len - 1) {
+ rc = SSH_ERROR;
+ break;
+ }
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
o.data = va_arg(ap, void **);
count++;