diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2017-04-21 11:02:29 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2017-04-21 11:02:29 +0200 |
commit | d5d8349224ef0f2ef82d175b2fcac91d769eae3b (patch) | |
tree | e1baad2d20ad12c2360d32422e1226d2dc7e0bfb /src | |
parent | 67a2ba6f993794f1d42808c76f52576a1e82f8d3 (diff) | |
download | libssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.tar.gz libssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.tar.xz libssh-d5d8349224ef0f2ef82d175b2fcac91d769eae3b.zip |
misc: Validate integers converted from the SSH banner
BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1181
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/misc.c | 18 |
1 files changed, 16 insertions, 2 deletions
@@ -846,7 +846,7 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) { openssh = strstr(banner, "OpenSSH"); if (openssh != NULL) { - int major, minor; + unsigned int major, minor; /* * The banner is typical: @@ -854,8 +854,22 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) { * 012345678901234567890 */ if (strlen(openssh) > 9) { - major = strtol(openssh + 8, (char **) NULL, 10); + major = strtoul(openssh + 8, (char **) NULL, 10); + if (major < 1 || major > 100) { + ssh_set_error(session, + SSH_FATAL, + "Invalid major version number: %s", + banner); + return -1; + } minor = strtol(openssh + 10, (char **) NULL, 10); + if (minor > 100) { + ssh_set_error(session, + SSH_FATAL, + "Invalid minor version number: %s", + banner); + return -1; + } session->openssh = SSH_VERSION_INT(major, minor, 0); SSH_LOG(SSH_LOG_RARE, "We are talking to an OpenSSH client version: %d.%d (%x)", |