diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/buffer.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/src/buffer.c b/src/buffer.c index db21b345..2da6758a 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -854,10 +854,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, char **cstring; void **data; } o; - size_t len, rlen; + size_t len, rlen, max_len; va_list ap_copy; int count; + max_len = ssh_buffer_get_len(buffer); + /* copy the argument list in case a rollback is needed */ va_copy(ap_copy, ap); @@ -909,10 +911,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, break; } len = ntohl(u32len); - if (len > UINT_MAX - 1){ + if (len > max_len - 1) { rc = SSH_ERROR; break; } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } + *o.cstring = malloc(len + 1); if (*o.cstring == NULL){ rc = SSH_ERROR; @@ -931,6 +939,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, } case 'P': len = va_arg(ap, size_t); + if (len > max_len - 1) { + rc = SSH_ERROR; + break; + } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } o.data = va_arg(ap, void **); count++; |