aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/buffer.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/src/buffer.c b/src/buffer.c
index db21b345..2da6758a 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -854,10 +854,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
char **cstring;
void **data;
} o;
- size_t len, rlen;
+ size_t len, rlen, max_len;
va_list ap_copy;
int count;
+ max_len = ssh_buffer_get_len(buffer);
+
/* copy the argument list in case a rollback is needed */
va_copy(ap_copy, ap);
@@ -909,10 +911,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
break;
}
len = ntohl(u32len);
- if (len > UINT_MAX - 1){
+ if (len > max_len - 1) {
rc = SSH_ERROR;
break;
}
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
+
*o.cstring = malloc(len + 1);
if (*o.cstring == NULL){
rc = SSH_ERROR;
@@ -931,6 +939,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
}
case 'P':
len = va_arg(ap, size_t);
+ if (len > max_len - 1) {
+ rc = SSH_ERROR;
+ break;
+ }
+
+ rc = ssh_buffer_validate_length(buffer, len);
+ if (rc != SSH_OK) {
+ break;
+ }
o.data = va_arg(ap, void **);
count++;