summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2009-09-13 22:07:01 +0200
committerAndreas Schneider <mail@cynapses.org>2009-09-13 22:44:31 +0200
commit9ef0837c80eea152244500302f05639a2a70b9af (patch)
tree090b50fc8e8d4a95ed5a6c8ce0ae8345aa500dab
parent2f66b3be13f7a10e9e9b1a01b05bea27a2212686 (diff)
downloadlibssh-9ef0837c80eea152244500302f05639a2a70b9af.tar.gz
libssh-9ef0837c80eea152244500302f05639a2a70b9af.tar.xz
libssh-9ef0837c80eea152244500302f05639a2a70b9af.zip
Fix the security bug found by Orange Labs
Verify the length of decrypt operation is a multiple of blocksize
-rw-r--r--libssh/crypt.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/libssh/crypt.c b/libssh/crypt.c
index 3e9a8525..5c95e62d 100644
--- a/libssh/crypt.c
+++ b/libssh/crypt.c
@@ -60,7 +60,10 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){
int packet_decrypt(SSH_SESSION *session, void *data,u32 len) {
struct crypto_struct *crypto = session->current_crypto->in_cipher;
char *out = NULL;
-
+ if(len % session->current_crypto->in_cipher->blocksize != 0){
+ ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+ return SSH_ERROR;
+ }
out = malloc(len);
if (out == NULL) {
return -1;
@@ -100,7 +103,10 @@ unsigned char *packet_encrypt(SSH_SESSION *session, void *data, u32 len) {
if (!session->current_crypto) {
return NULL; /* nothing to do here */
}
-
+ if(len % session->current_crypto->in_cipher->blocksize != 0){
+ ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+ return NULL;
+ }
out = malloc(len);
if (out == NULL) {
return NULL;