Fix an integer overflow in get_ssh_string.

If the length field in the input data was so large that adding 4 to it caused wraparound, the error check could fail to trigger. Fortunately, this praticular get_ssh_string function is only used during private key import from foreign file formats, so it won't be facing hostile data.
2025-01-25 01:02:24 +00:00 · 2017-01-25 19:47:08 +00:00 · 2017-01-25 19:47:08 +00:00 · 19467455fe
commit 19467455fe
parent 737cb2d24e
1 changed files with 1 additions and 1 deletions
--- a/misc.c
+++ b/misc.c
@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen)
    if (*datalen < 4)
        return NULL;
    len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
-    if (*datalen < len+4)
+    if (*datalen - 4 < len)
        return NULL;
    ret = (void *)((const char *)*data + 4);
    *datalen -= len + 4;