diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2015-02-02 14:14:12 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2015-02-02 17:32:18 +0100 |
commit | afc9988c933ed74bd4c302d685f1b4d7e1960aab (patch) | |
tree | 193217bca85659535b0a5d5c9df47eca8844d2f1 /src | |
parent | 2490404d4505ca49e2f8eb7914bb0b1e2d64db8d (diff) | |
download | libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.gz libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.xz libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.zip |
buffer: Improve argument checking in ssh_buffer_pack()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Aris Adamantiadis <aris@0xbadc0de.be>
Diffstat (limited to 'src')
-rw-r--r-- | src/buffer.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/src/buffer.c b/src/buffer.c index be25a32f..5eb3bb56 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -688,7 +688,11 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) { * SSH_ERROR on error * @see ssh_buffer_add_format() for format list values. */ -int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap){ +int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + const char *format, + int argc, + va_list ap) +{ int rc = SSH_ERROR; const char *p; union { @@ -702,8 +706,14 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ char *cstring; bignum b; size_t len; + int count; + + for (p = format, count = 0; *p != '\0'; p++, count++) { + /* Invalid number of arguments passed */ + if (count > argc) { + return SSH_ERROR; + } - for (p = format; *p != '\0'; p++) { switch(*p) { case 'b': o.byte = (uint8_t)va_arg(ap, unsigned int); @@ -740,7 +750,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ break; case 'P': len = va_arg(ap, size_t); + o.data = va_arg(ap, void *); + count++; /* increase argument count */ + rc = ssh_buffer_add_data(buffer, o.data, len); o.data = NULL; break; @@ -769,6 +782,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ } } + if (argc != count) { + return SSH_ERROR; + } + if (rc != SSH_ERROR){ /* verify that the last hidden argument is correct */ o.dword = va_arg(ap, uint32_t); @@ -799,12 +816,16 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_ * @warning when using 'P' with a constant size (e.g. 8), do not * forget to cast to (size_t). */ -int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){ +int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, + const char *format, + int argc, + ...) +{ va_list ap; int rc; - va_start(ap, format); - rc = ssh_buffer_pack_va(buffer, format, ap); + va_start(ap, argc); + rc = ssh_buffer_pack_va(buffer, format, argc, ap); va_end(ap); return rc; } |