nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-06-01 09:20:28 -05:00
Code Issues Projects Releases Wiki Activity

Fix vulnerability CVE-2016-2563 in old scp protocol.

Browse Source 
There was a rogue sscanf("%s") with no field width limit, targeting a
stack-based buffer, and scanning a string containing untrusted data.
It occurs in the 'sink' side of the protocol, i.e. when downloading
files *from* the server.

Our own bug id for this vulnerability is 'vuln-pscp-sink-sscanf'.
This commit is contained in:
Simon Tatham 2016-02-24 20:13:10 +00:00
parent 51586b6f26
commit bc6c15ab5f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pscp.c
View File

@ -1528,7 +1528,7 @@ int scp_get_sink_action(struct scp_sink_action *act)
{ {
char sizestr[40]; char sizestr[40];
if (sscanf(act->buf, "%lo %s %n", &act->permissions, if (sscanf(act->buf, "%lo %39s %n", &act->permissions,
sizestr, &i) != 2) sizestr, &i) != 2)
bump("Protocol error: Illegal file descriptor format"); bump("Protocol error: Illegal file descriptor format");
act->size = uint64_from_decimal(sizestr); act->size = uint64_from_decimal(sizestr);