From c0e19ca19d5be1fea5bc6f75bc18c0e2c4462b64 Mon Sep 17 00:00:00 2001 From: Ben Harris Date: Sat, 10 Oct 2015 22:59:38 +0100 Subject: [PATCH] In get_ssh_string, don't get confused by lengths >= 0x80000000. "confused" meaning "reading off the end of the input". Bug found with the help of afl-fuzz. --- misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc.c b/misc.c index b1bfb361..6af441c3 100644 --- a/misc.c +++ b/misc.c @@ -1064,7 +1064,7 @@ int match_ssh_id(int stringlen, const void *string, const char *id) void *get_ssh_string(int *datalen, const void **data, int *stringlen) { void *ret; - int len; + unsigned int len; if (*datalen < 4) return NULL;