channels: Fix integer overflow in generate_cookie().

Since the type of rnd[i] is signed char, (rnd[i] >> 4), which is
considered as arithmetic shift by gcc, could be negative, leading
to out-of-bounds read.

1 files changed, 1 insertions, 1 deletions

diff --git a/src/channels.c b/src/channels.c
index 709598f2..a4733809 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -1828,7 +1828,7 @@ int ssh_channel_request_sftp( ssh_channel channel){
 static ssh_string generate_cookie(void) {
   static const char *hex = "0123456789abcdef";
   char s[36];
-  char rnd[16];
+  unsigned char rnd[16];
   int i;
 
   ssh_get_random(rnd,sizeof(rnd),0);