In get_ssh_string, don't get confused by lengths >= 0x80000000.

"confused" meaning "reading off the end of the input". Bug found with the help of afl-fuzz.
2025-04-10 23:58:06 -05:00 · 2015-10-10 22:59:38 +01:00 · 2015-10-10 22:59:38 +01:00 · c0e19ca19d
commit c0e19ca19d
parent 7707aa24d6
1 changed files with 1 additions and 1 deletions
--- a/misc.c
+++ b/misc.c
@ -1064,7 +1064,7 @@ int match_ssh_id(int stringlen, const void *string, const char *id)
 void *get_ssh_string(int *datalen, const void **data, int *stringlen)
 {
    void *ret;
-    int len;
+    unsigned int len;

    if (*datalen < 4)
        return NULL;