diff options
| author | Aris Adamantiadis <aris@0xbadc0de.be> | 2014-04-22 23:00:06 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2014-08-06 09:58:52 +0200 |
| commit | 3b4b0f01ecdc8b24cb10d871f200abb26bef1548 (patch) | |
| tree | a438f0881b05e17a01bfb03b39abe2ef1caebeb8 /src/buffer.c | |
| parent | 7bd62dd652ba59c2ef4dfb9c3cc8d1262a48901d (diff) | |
| download | libssh-3b4b0f01ecdc8b24cb10d871f200abb26bef1548.tar.gz libssh-3b4b0f01ecdc8b24cb10d871f200abb26bef1548.tar.xz libssh-3b4b0f01ecdc8b24cb10d871f200abb26bef1548.zip | |
buffer: add a hidden canary to detect format errors
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'src/buffer.c')
| -rw-r--r-- | src/buffer.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/buffer.c b/src/buffer.c index c2879b4b..7d4c7b3f 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -732,6 +732,13 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ } } + if (rc != SSH_ERROR){ + /* verify that the last hidden argument is correct */ + o.dword = va_arg(ap, uint32_t); + if (o.dword != SSH_BUFFER_PACK_END){ + rc = SSH_ERROR; + } + } return rc; } @@ -754,7 +761,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ * @warning when using 'P' with a constant size (e.g. 8), do not * forget to cast to (size_t). */ -int ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){ +int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){ va_list ap; int rc; @@ -876,7 +883,13 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, v break; } } - + if (rc != SSH_ERROR){ + /* verify that the last hidden argument is correct */ + uint32_t canary = va_arg(ap, uint32_t); + if (canary != SSH_BUFFER_PACK_END){ + rc = SSH_ERROR; + } + } if (rc != SSH_OK){ /* Reset the format string and erase everything that was allocated */ last = p; @@ -930,7 +943,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, v * @warning when using 'P' with a constant size (e.g. 8), do not * forget to cast to (size_t). */ -int ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...){ +int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...){ va_list ap; int rc; |