From c191ff129cd3415af08143fb40c461de5730655d Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 28 Jun 2019 19:24:55 +0100 Subject: [PATCH] Fix too-short buffer in SSH-1 key exchange. If _both_ the host key and the server key were less than 32 bytes long, then less than 32 bytes would be allocated for the buffer s->rsabuf, into which the 32-byte session id is then copied. --- ssh1login.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ssh1login.c b/ssh1login.c index d49ef669..1922820e 100644 --- a/ssh1login.c +++ b/ssh1login.c @@ -217,8 +217,11 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl) return; } - s->len = (s->hostkey.bytes > s->servkey.bytes ? - s->hostkey.bytes : s->servkey.bytes); + s->len = 32; + if (s->len < s->hostkey.bytes) + s->len = s->hostkey.bytes; + if (s->len < s->servkey.bytes) + s->len = s->servkey.bytes; s->rsabuf = snewn(s->len, unsigned char);