diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:02:57 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:36:16 +0100 |
commit | 5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc (patch) | |
tree | fc3b813786e1829c80a366a661bf6eac54154259 /src | |
parent | efaebad323dd5a609f7383df8687c70a426a7d53 (diff) | |
download | libssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.tar.gz libssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.tar.xz libssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.zip |
CVE-2012-4562: Fix possible integer overflows.
Diffstat (limited to 'src')
-rw-r--r-- | src/string.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/string.c b/src/string.c index b52e314b..acaa41af 100644 --- a/src/string.c +++ b/src/string.c @@ -22,6 +22,7 @@ */ #include <errno.h> +#include <limits.h> #include <stdlib.h> #include <string.h> @@ -52,6 +53,10 @@ struct ssh_string_struct *ssh_string_new(size_t size) { struct ssh_string_struct *str = NULL; + if (size > UINT_MAX - sizeof(struct ssh_string_struct)) { + return NULL; + } + str = malloc(sizeof(struct ssh_string_struct) + size); if (str == NULL) { return NULL; @@ -169,11 +174,18 @@ char *ssh_string_to_char(struct ssh_string_struct *s) { len = ssh_string_len(s) + 1; new = malloc(len); + len = ssh_string_len(s); + if (len + 1 < len) { + return NULL; + } + + new = malloc(len + 1); if (new == NULL) { return NULL; } - memcpy(new, s->data, len - 1); - new[len - 1] = '\0'; + memcpy(new, s->data, len); + new[len] = '\0'; + return new; } |