diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2012-10-12 11:35:20 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-11-14 17:36:22 +0100 |
commit | f61813eaea814b49489b3e917c6bdb850c7aeb8b (patch) | |
tree | 3572859037d65b7a1d47b9f77d7faf5865a6e2b4 /src | |
parent | ad5f306884eee6c83437defe082d57e6ca4da69a (diff) | |
download | libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.gz libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.tar.xz libssh-f61813eaea814b49489b3e917c6bdb850c7aeb8b.zip |
CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().
If needed is bigger than the highest power of two or a which fits in an
integer we will loop forever.
Diffstat (limited to 'src')
-rw-r--r-- | src/buffer.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/buffer.c b/src/buffer.c index 3de4f3e3..ca120868 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -111,13 +111,18 @@ void ssh_buffer_free(struct ssh_buffer_struct *buffer) { SAFE_FREE(buffer); } -static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) { - int smallest = 1; - char *new = NULL; +static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) { + size_t smallest = 1; + char *new; + buffer_verify(buffer); + /* Find the smallest power of two which is greater or equal to needed */ while(smallest <= needed) { - smallest <<= 1; + if (smallest == 0) { + return -1; + } + smallest <<= 1; } needed = smallest; new = realloc(buffer->data, needed); |