From 19467455fe7840ab146f47136c88f61c87365e8c Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Wed, 25 Jan 2017 19:47:08 +0000 Subject: [PATCH] Fix an integer overflow in get_ssh_string. If the length field in the input data was so large that adding 4 to it caused wraparound, the error check could fail to trigger. Fortunately, this praticular get_ssh_string function is only used during private key import from foreign file formats, so it won't be facing hostile data. --- misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc.c b/misc.c index ed6290f5..5fd58a13 100644 --- a/misc.c +++ b/misc.c @@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen) if (*datalen < 4) return NULL; len = GET_32BIT_MSB_FIRST((const unsigned char *)*data); - if (*datalen < len+4) + if (*datalen - 4 < len) return NULL; ret = (void *)((const char *)*data + 4); *datalen -= len + 4;