Add an assortment of extra safety checks.

[originally from svn r9896]
2025-01-09 17:38:00 +00:00 · 2013-07-08 22:36:04 +00:00 · 2013-07-08 22:36:04 +00:00 · 8b6a8b617f
commit 8b6a8b617f
parent ac8baf4cac
3 changed files with 6 additions and 2 deletions
--- a/import.c
+++ b/import.c
@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, int len, struct mpint_pos *ret)
    if (len < 4)
        goto error;
    bytes = GET_32BIT(d);
-    if (len < 4+bytes)
+    if (bytes < 0 || len-4 < bytes)
        goto error;

    ret->start = d + 4;
--- a/sshdss.c
+++ b/sshdss.c
@ -43,6 +43,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
    if (*datalen < 4)
 	return;
    *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
    *datalen -= 4;
    *data += 4;
    if (*datalen < *length)
@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int len)
    }
 #endif

-    if (!p || memcmp(p, "ssh-dss", 7)) {
+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 	sfree(dss);
 	return NULL;
    }
--- a/sshrsa.c
+++ b/sshrsa.c
@ -526,6 +526,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
    if (*datalen < 4)
 	return;
    *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
    *datalen -= 4;
    *data += 4;
    if (*datalen < *length)