aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-11-25 23:02:06 -0500
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:36:11 +0100
commitefaebad323dd5a609f7383df8687c70a426a7d53 (patch)
tree678db79a9a5fe7f83e1b92a6930ca7c0f8ee9942 /src
parentcab00c3bfcc88e7321fb9670956758cdee50f49c (diff)
downloadlibssh-efaebad323dd5a609f7383df8687c70a426a7d53.tar.gz
libssh-efaebad323dd5a609f7383df8687c70a426a7d53.tar.xz
libssh-efaebad323dd5a609f7383df8687c70a426a7d53.zip
CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().
No exploit known, but it is better to check the string length.
Diffstat (limited to 'src')
-rw-r--r--src/dh.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/dh.c b/src/dh.c
index 0d46c591..997ae852 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -45,6 +45,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#ifndef _WIN32
#include <netinet/in.h>
@@ -256,6 +257,10 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
size_t i;
size_t hlen = len * 3;
+ if (len > (UINT_MAX - 1) / 3) {
+ return NULL;
+ }
+
hexa = malloc(hlen + 1);
if (hexa == NULL) {
return NULL;