aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2015-02-02 14:14:12 +0100
committerAndreas Schneider <asn@cryptomilk.org>2015-02-02 17:32:18 +0100
commitafc9988c933ed74bd4c302d685f1b4d7e1960aab (patch)
tree193217bca85659535b0a5d5c9df47eca8844d2f1 /src
parent2490404d4505ca49e2f8eb7914bb0b1e2d64db8d (diff)
downloadlibssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.gz
libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.tar.xz
libssh-afc9988c933ed74bd4c302d685f1b4d7e1960aab.zip
buffer: Improve argument checking in ssh_buffer_pack()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Aris Adamantiadis <aris@0xbadc0de.be>
Diffstat (limited to 'src')
-rw-r--r--src/buffer.c31
1 files changed, 26 insertions, 5 deletions
diff --git a/src/buffer.c b/src/buffer.c
index be25a32f..5eb3bb56 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -688,7 +688,11 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) {
* SSH_ERROR on error
* @see ssh_buffer_add_format() for format list values.
*/
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap){
+int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ va_list ap)
+{
int rc = SSH_ERROR;
const char *p;
union {
@@ -702,8 +706,14 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
char *cstring;
bignum b;
size_t len;
+ int count;
+
+ for (p = format, count = 0; *p != '\0'; p++, count++) {
+ /* Invalid number of arguments passed */
+ if (count > argc) {
+ return SSH_ERROR;
+ }
- for (p = format; *p != '\0'; p++) {
switch(*p) {
case 'b':
o.byte = (uint8_t)va_arg(ap, unsigned int);
@@ -740,7 +750,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
break;
case 'P':
len = va_arg(ap, size_t);
+
o.data = va_arg(ap, void *);
+ count++; /* increase argument count */
+
rc = ssh_buffer_add_data(buffer, o.data, len);
o.data = NULL;
break;
@@ -769,6 +782,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
}
}
+ if (argc != count) {
+ return SSH_ERROR;
+ }
+
if (rc != SSH_ERROR){
/* verify that the last hidden argument is correct */
o.dword = va_arg(ap, uint32_t);
@@ -799,12 +816,16 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
* @warning when using 'P' with a constant size (e.g. 8), do not
* forget to cast to (size_t).
*/
-int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){
+int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
+ const char *format,
+ int argc,
+ ...)
+{
va_list ap;
int rc;
- va_start(ap, format);
- rc = ssh_buffer_pack_va(buffer, format, ap);
+ va_start(ap, argc);
+ rc = ssh_buffer_pack_va(buffer, format, argc, ap);
va_end(ap);
return rc;
}