diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:00:13 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-10-22 21:00:08 +0200 |
commit | d404ad71525a5cad91d030e20c5346470b20e46d (patch) | |
tree | f978c8df0c23d2375fbbb4f5979cc71cd0d3a363 | |
parent | a4ffaff550c5a5987fcf7fb5c5d2aab493428505 (diff) | |
download | libssh-d404ad71525a5cad91d030e20c5346470b20e46d.tar.gz libssh-d404ad71525a5cad91d030e20c5346470b20e46d.tar.xz libssh-d404ad71525a5cad91d030e20c5346470b20e46d.zip |
channels: Fix integer overflow in generate_cookie().
Since the type of rnd[i] is signed char, (rnd[i] >> 4), which is
considered as arithmetic shift by gcc, could be negative, leading
to out-of-bounds read.
-rw-r--r-- | src/channels.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/channels.c b/src/channels.c index 709598f2..a4733809 100644 --- a/src/channels.c +++ b/src/channels.c @@ -1828,7 +1828,7 @@ int ssh_channel_request_sftp( ssh_channel channel){ static ssh_string generate_cookie(void) { static const char *hex = "0123456789abcdef"; char s[36]; - char rnd[16]; + unsigned char rnd[16]; int i; ssh_get_random(rnd,sizeof(rnd),0); |