diff options
author | Andreas Schneider <mail@cynapses.org> | 2009-09-08 11:36:06 +0200 |
---|---|---|
committer | Andreas Schneider <mail@cynapses.org> | 2009-09-08 11:36:06 +0200 |
commit | add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9 (patch) | |
tree | cc542c8a490843231a1adda5f43ea3e94e3ad5dd /libssh/buffer.c | |
parent | 26cdf0d99422ab1490abcdce65fcfd219d763947 (diff) | |
download | libssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.tar.gz libssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.tar.xz libssh-add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9.zip |
Fix an integer overflow in buffer_get_data().
Thanks to Orange Labs for the report.
Diffstat (limited to 'libssh/buffer.c')
-rw-r--r-- | libssh/buffer.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/libssh/buffer.c b/libssh/buffer.c index effc52c2..06859583 100644 --- a/libssh/buffer.c +++ b/libssh/buffer.c @@ -298,8 +298,13 @@ u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){ * \returns len otherwise. */ u32 buffer_get_data(struct buffer_struct *buffer, void *data, u32 len){ - if(buffer->pos+len>buffer->used) - return 0; /*no enough data in buffer */ + /* + * Check for a integer overflow first, then check if not enough data is in + * the buffer. + */ + if (buffer->pos + len < len || buffer->pos + len > buffer->used) { + return 0; + } memcpy(data,buffer->data+buffer->pos,len); buffer->pos+=len; return len; /* no yet support for partial reads (is it really needed ?? ) */ |