nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-27 02:02:26 +00:00
Code Issues Projects Releases Wiki Activity

Fix an integer overflow in get_ssh_string.

Browse Source 
If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.
This commit is contained in:
Simon Tatham 2017-01-25 19:47:08 +00:00
parent 737cb2d24e
commit 19467455fe
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
misc.c
View File

@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen)
if (*datalen < 4) if (*datalen < 4)
return NULL; return NULL;
len = GET_32BIT_MSB_FIRST((const unsigned char *)*data); len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
if (*datalen < len+4) if (*datalen - 4 < len)
return NULL; return NULL;
ret = (void *)((const char *)*data + 4); ret = (void *)((const char *)*data + 4);
*datalen -= len + 4; *datalen -= len + 4;