aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-11-25 23:02:57 -0500
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:36:16 +0100
commit5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc (patch)
treefc3b813786e1829c80a366a661bf6eac54154259 /src
parentefaebad323dd5a609f7383df8687c70a426a7d53 (diff)
downloadlibssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.tar.gz
libssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.tar.xz
libssh-5ffb8c7cde24fd5a7a1749b4d2b9b08ea893bddc.zip
CVE-2012-4562: Fix possible integer overflows.
Diffstat (limited to 'src')
-rw-r--r--src/string.c16
1 files changed, 14 insertions, 2 deletions
diff --git a/src/string.c b/src/string.c
index b52e314b..acaa41af 100644
--- a/src/string.c
+++ b/src/string.c
@@ -22,6 +22,7 @@
*/
#include <errno.h>
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -52,6 +53,10 @@
struct ssh_string_struct *ssh_string_new(size_t size) {
struct ssh_string_struct *str = NULL;
+ if (size > UINT_MAX - sizeof(struct ssh_string_struct)) {
+ return NULL;
+ }
+
str = malloc(sizeof(struct ssh_string_struct) + size);
if (str == NULL) {
return NULL;
@@ -169,11 +174,18 @@ char *ssh_string_to_char(struct ssh_string_struct *s) {
len = ssh_string_len(s) + 1;
new = malloc(len);
+ len = ssh_string_len(s);
+ if (len + 1 < len) {
+ return NULL;
+ }
+
+ new = malloc(len + 1);
if (new == NULL) {
return NULL;
}
- memcpy(new, s->data, len - 1);
- new[len - 1] = '\0';
+ memcpy(new, s->data, len);
+ new[len] = '\0';
+
return new;
}