aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2019-09-24 13:23:25 +0200
committerJakub Jelen <jjelen@redhat.com>2019-09-24 16:06:38 +0200
commitaff7c500d5721e35c998b1b3c78e450fe7ff986d (patch)
tree29615a48066be4fdf3d874703bded1332624264b
parentaac682f60ea8d76b8555eff2e78025725c7630ea (diff)
downloadlibssh-aff7c500d5721e35c998b1b3c78e450fe7ff986d.tar.gz
libssh-aff7c500d5721e35c998b1b3c78e450fe7ff986d.tar.xz
libssh-aff7c500d5721e35c998b1b3c78e450fe7ff986d.zip
buffer: Avoid use of uninitialized values
Fixes the following oss-fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17565 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/buffer.c19
1 files changed, 13 insertions, 6 deletions
diff --git a/src/buffer.c b/src/buffer.c
index 1f38ae6f..d7d90d07 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1119,6 +1119,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
goto cleanup;
}
+ rc = SSH_ERROR;
switch (*p) {
case 'b':
o.byte = va_arg(ap, uint8_t *);
@@ -1128,20 +1129,26 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
case 'w':
o.word = va_arg(ap, uint16_t *);
rlen = ssh_buffer_get_data(buffer, o.word, sizeof(uint16_t));
- *o.word = ntohs(*o.word);
- rc = rlen==2 ? SSH_OK : SSH_ERROR;
+ if (rlen == 2) {
+ *o.word = ntohs(*o.word);
+ rc = SSH_OK;
+ }
break;
case 'd':
o.dword = va_arg(ap, uint32_t *);
rlen = ssh_buffer_get_u32(buffer, o.dword);
- *o.dword = ntohl(*o.dword);
- rc = rlen==4 ? SSH_OK : SSH_ERROR;
+ if (rlen == 4) {
+ *o.dword = ntohl(*o.dword);
+ rc = SSH_OK;
+ }
break;
case 'q':
o.qword = va_arg(ap, uint64_t*);
rlen = ssh_buffer_get_u64(buffer, o.qword);
- *o.qword = ntohll(*o.qword);
- rc = rlen==8 ? SSH_OK : SSH_ERROR;
+ if (rlen == 8) {
+ *o.qword = ntohll(*o.qword);
+ rc = SSH_OK;
+ }
break;
case 'B':
o.bignum = va_arg(ap, bignum *);