aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2017-04-21 11:02:29 +0200
committerAndreas Schneider <asn@cryptomilk.org>2017-04-21 11:02:29 +0200
commitd5d8349224ef0f2ef82d175b2fcac91d769eae3b (patch)
treee1baad2d20ad12c2360d32422e1226d2dc7e0bfb /src
parent67a2ba6f993794f1d42808c76f52576a1e82f8d3 (diff)
downloadlibssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.tar.gz
libssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.tar.xz
libssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.zip
misc: Validate integers converted from the SSH banner
BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1181 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r--src/misc.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/src/misc.c b/src/misc.c
index 5618366f..dc09bad2 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -846,7 +846,7 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
openssh = strstr(banner, "OpenSSH");
if (openssh != NULL) {
- int major, minor;
+ unsigned int major, minor;
/*
* The banner is typical:
@@ -854,8 +854,22 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
* 012345678901234567890
*/
if (strlen(openssh) > 9) {
- major = strtol(openssh + 8, (char **) NULL, 10);
+ major = strtoul(openssh + 8, (char **) NULL, 10);
+ if (major < 1 || major > 100) {
+ ssh_set_error(session,
+ SSH_FATAL,
+ "Invalid major version number: %s",
+ banner);
+ return -1;
+ }
minor = strtol(openssh + 10, (char **) NULL, 10);
+ if (minor > 100) {
+ ssh_set_error(session,
+ SSH_FATAL,
+ "Invalid minor version number: %s",
+ banner);
+ return -1;
+ }
session->openssh = SSH_VERSION_INT(major, minor, 0);
SSH_LOG(SSH_LOG_RARE,
"We are talking to an OpenSSH client version: %d.%d (%x)",