diff options
| author | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-09-13 22:07:01 +0200 |
|---|---|---|
| committer | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-09-13 22:07:01 +0200 |
| commit | f28352707ab8aa7e1717cea53e4cdcf46f1dc156 (patch) | |
| tree | 82ff5a244cd5f4d9366b169734b3399085653548 | |
| parent | 4b363928f6a29e9cf2f2f33b86cb860ef0ab4dec (diff) | |
| download | libssh-f28352707ab8aa7e1717cea53e4cdcf46f1dc156.tar.gz libssh-f28352707ab8aa7e1717cea53e4cdcf46f1dc156.tar.xz libssh-f28352707ab8aa7e1717cea53e4cdcf46f1dc156.zip | |
Fix the security bug found by Orange Labs
Verify the length of decrypt operation is a multiple of blocksize
| -rw-r--r-- | libssh/crypt.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libssh/crypt.c b/libssh/crypt.c index f84a96f7..1d4af3e1 100644 --- a/libssh/crypt.c +++ b/libssh/crypt.c @@ -59,7 +59,10 @@ uint32_t packet_decrypt_len(SSH_SESSION *session, char *crypted){ int packet_decrypt(SSH_SESSION *session, void *data,uint32_t len) { struct crypto_struct *crypto = session->current_crypto->in_cipher; char *out = NULL; - + if(len % session->current_crypto->in_cipher->blocksize != 0){ + ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len); + return SSH_ERROR; + } out = malloc(len); if (out == NULL) { return -1; @@ -99,7 +102,10 @@ unsigned char *packet_encrypt(SSH_SESSION *session, void *data, uint32_t len) { if (!session->current_crypto) { return NULL; /* nothing to do here */ } - + if(len % session->current_crypto->in_cipher->blocksize != 0){ + ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len); + return NULL; + } out = malloc(len); if (out == NULL) { return NULL; |