diff options
author | Xiang Xiao <xiaoxiang@xiaomi.com> | 2021-05-10 01:35:29 +0800 |
---|---|---|
committer | Jakub Jelen <jjelen@redhat.com> | 2021-06-16 11:58:07 +0200 |
commit | 925dc92d527ebc739b535932fbb4fad6789ab7af (patch) | |
tree | 6bd478f973dfdf8ee773ba9fbb45593cd127dd98 /src | |
parent | 9eba361ca278b673183efad31e66ed40431a1249 (diff) | |
download | libssh-925dc92d527ebc739b535932fbb4fad6789ab7af.tar.gz libssh-925dc92d527ebc739b535932fbb4fad6789ab7af.tar.xz libssh-925dc92d527ebc739b535932fbb4fad6789ab7af.zip |
misc: Avoid the 4KB stack buffer in ssh_bind_options_expand_escape
Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Change-Id: Icfd24fdb8c7f549b8cb72d793cfc767979740fdc
Diffstat (limited to 'src')
-rw-r--r-- | src/options.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/src/options.c b/src/options.c index d5921645..264eacb7 100644 --- a/src/options.c +++ b/src/options.c @@ -2031,8 +2031,9 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) { - char buf[MAX_BUF_SIZE]; - char *r, *x = NULL; + char *buf = NULL; + char *r = NULL; + char *x = NULL; const char *p; size_t i, l; @@ -2048,6 +2049,13 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) return NULL; } + buf = malloc(MAX_BUF_SIZE); + if (buf == NULL) { + ssh_set_error_oom(sshbind); + free(r); + return NULL; + } + p = r; buf[0] = '\0'; @@ -2056,6 +2064,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) buf[i] = *p; i++; if (i >= MAX_BUF_SIZE) { + free(buf); free(r); return NULL; } @@ -2075,12 +2084,14 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) default: ssh_set_error(sshbind, SSH_FATAL, "Wrong escape sequence detected"); + free(buf); free(r); return NULL; } if (x == NULL) { ssh_set_error_oom(sshbind); + free(buf); free(r); return NULL; } @@ -2089,18 +2100,26 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) if (i >= MAX_BUF_SIZE) { ssh_set_error(sshbind, SSH_FATAL, "String too long"); + free(buf); free(x); free(r); return NULL; } l = strlen(buf); - strncpy(buf + l, x, sizeof(buf) - l - 1); + strncpy(buf + l, x, MAX_BUF_SIZE - l - 1); buf[i] = '\0'; SAFE_FREE(x); } free(r); - return strdup(buf); + + /* strip the unused space by realloc */ + x = realloc(buf, strlen(buf) + 1); + if (x == NULL) { + ssh_set_error_oom(sshbind); + free(buf); + } + return x; } /** |