CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().

If needed is bigger than the highest power of two or a which fits in an integer we will loop forever.
author: Andreas Schneider <asn@cryptomilk.org> 2012-10-12 11:35:20 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2012-11-14 17:36:22 +0100
commit: f61813eaea814b49489b3e917c6bdb850c7aeb8b (patch)
tree: 3572859037d65b7a1d47b9f77d7faf5865a6e2b4 /src
parent: ad5f306884eee6c83437defe082d57e6ca4da69a (diff)
download: libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.gz
libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.xz
libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.zip
1 files changed, 9 insertions, 4 deletions
diff --git a/src/buffer.c b/src/buffer.c
index 3de4f3e3..ca120868 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -111,13 +111,18 @@ void ssh_buffer_free(struct ssh_buffer_struct *buffer) {
   SAFE_FREE(buffer);
 }
 
-static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) {
-  int smallest = 1;
-  char *new = NULL;
+static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) {
+  size_t smallest = 1;
+  char *new;
+
   buffer_verify(buffer);
+
   /* Find the smallest power of two which is greater or equal to needed */
   while(smallest <= needed) {
-    smallest <<= 1;
+      if (smallest == 0) {
+          return -1;
+      }
+      smallest <<= 1;
   }
   needed = smallest;
   new = realloc(buffer->data, needed);
author	Andreas Schneider <asn@cryptomilk.org>	2012-10-12 11:35:20 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2012-11-14 17:36:22 +0100
commit	f61813eaea814b49489b3e917c6bdb850c7aeb8b (patch)
tree	3572859037d65b7a1d47b9f77d7faf5865a6e2b4 /src
parent	ad5f306884eee6c83437defe082d57e6ca4da69a (diff)
download	libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.gz libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.xz libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.zip