aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <mail@cynapses.org>2009-09-03 17:11:42 +0200
committerAndreas Schneider <mail@cynapses.org>2009-09-03 17:11:42 +0200
commit8344598910e96899c16011559f2e9f8f26c4d24d (patch)
tree5efe5e18a6904f0db31e9060b9789ac1189d91a9
parent16870abed7a13ae92a246f9ea85f3b58b08f0ede (diff)
downloadlibssh-8344598910e96899c16011559f2e9f8f26c4d24d.tar.gz
libssh-8344598910e96899c16011559f2e9f8f26c4d24d.tar.xz
libssh-8344598910e96899c16011559f2e9f8f26c4d24d.zip
Fix an integer overflow in buffer_get_data().
Thanks to Orange Labs for the report.
-rw-r--r--libssh/buffer.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libssh/buffer.c b/libssh/buffer.c
index d3d249e4..2f450b50 100644
--- a/libssh/buffer.c
+++ b/libssh/buffer.c
@@ -339,8 +339,13 @@ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){
* \returns len otherwise.
*/
uint32_t buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len){
- if(buffer->pos+len>buffer->used)
- return 0; /*no enough data in buffer */
+ /*
+ * Check for a integer overflow first, then check if not enough data is in
+ * the buffer.
+ */
+ if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+ return 0;
+ }
memcpy(data,buffer->data+buffer->pos,len);
buffer->pos+=len;
return len; /* no yet support for partial reads (is it really needed ?? ) */