From 57550e6211c19c634a319bed59d39b28d020dcd1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 23 Feb 2017 16:24:17 +0100 Subject: buffer: Validate the length before before memory allocation Check if the size the other party sent is a valid size in the transmitted buffer. Thanks to Alex Gaynor for finding and reporting the issue. Signed-off-by: Andreas Schneider --- src/buffer.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/buffer.c b/src/buffer.c index 0c776698..d1a727ae 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -848,10 +848,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, char **cstring; void **data; } o; - size_t len, rlen; + size_t len, rlen, max_len; va_list ap_copy; int count; + max_len = ssh_buffer_get_len(buffer); + /* copy the argument list in case a rollback is needed */ va_copy(ap_copy, ap); @@ -903,10 +905,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, break; } len = ntohl(u32len); - if (len > UINT_MAX - 1){ + if (len > max_len - 1) { rc = SSH_ERROR; break; } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } + *o.cstring = malloc(len + 1); if (*o.cstring == NULL){ rc = SSH_ERROR; @@ -925,6 +933,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, } case 'P': len = va_arg(ap, size_t); + if (len > max_len - 1) { + rc = SSH_ERROR; + break; + } + + rc = ssh_buffer_validate_length(buffer, len); + if (rc != SSH_OK) { + break; + } o.data = va_arg(ap, void **); count++; -- cgit v1.2.3