diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:02:06 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:36:11 +0100 |
commit | efaebad323dd5a609f7383df8687c70a426a7d53 (patch) | |
tree | 678db79a9a5fe7f83e1b92a6930ca7c0f8ee9942 /src | |
parent | cab00c3bfcc88e7321fb9670956758cdee50f49c (diff) | |
download | libssh-efaebad323dd5a609f7383df8687c70a426a7d53.tar.gz libssh-efaebad323dd5a609f7383df8687c70a426a7d53.tar.xz libssh-efaebad323dd5a609f7383df8687c70a426a7d53.zip |
CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().
No exploit known, but it is better to check the string length.
Diffstat (limited to 'src')
-rw-r--r-- | src/dh.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -45,6 +45,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #ifndef _WIN32 #include <netinet/in.h> @@ -256,6 +257,10 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) { size_t i; size_t hlen = len * 3; + if (len > (UINT_MAX - 1) / 3) { + return NULL; + } + hexa = malloc(hlen + 1); if (hexa == NULL) { return NULL; |