CVE-2012-4560: Fix a write one past the end of 'buf'.

author: Andreas Schneider <asn@cryptomilk.org> 2012-10-05 11:39:47 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2012-11-14 17:36:24 +0100
commit: bd3acae4f3ce82d2be22674d6381431cf9f54d6f (patch)
tree: 3a6f9b044b14c52a4064e07327e456b04166ddc3
parent: 894bbf3137425409e297e5695dd6070166f98d3b (diff)
download: libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.tar.gz
libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.tar.xz
libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/misc.c b/src/misc.c
index c2876bde..99f60b48 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -723,7 +723,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
         if (*p != '%') {
             buf[i] = *p;
             i++;
-            if (i > MAX_BUF_SIZE) {
+            if (i >= MAX_BUF_SIZE) {
+                free(r);
                 return NULL;
             }
             buf[i] = '\0';
@@ -775,7 +776,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
         }
 
         i += strlen(x);
-        if (i > MAX_BUF_SIZE) {
+        if (i >= MAX_BUF_SIZE) {
             ssh_set_error(session, SSH_FATAL,
                     "String too long");
             free(x);
author	Andreas Schneider <asn@cryptomilk.org>	2012-10-05 11:39:47 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2012-11-14 17:36:24 +0100
commit	bd3acae4f3ce82d2be22674d6381431cf9f54d6f (patch)
tree	3a6f9b044b14c52a4064e07327e456b04166ddc3
parent	894bbf3137425409e297e5695dd6070166f98d3b (diff)
download	libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.tar.gz libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.tar.xz libssh-bd3acae4f3ce82d2be22674d6381431cf9f54d6f.zip