From ee83fb6fdb3f2eff17d45a2b739da4fea32ab601 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sat, 25 Jan 2014 15:59:04 +0000 Subject: [PATCH] Fix a potential crash in ssh_setup_portfwd. If we search for a colon by computing ptr + host_strcspn(ptr,":"), then the resulting pointer is always non-NULL, and the 'not found' condition is not !p but !*p. This typo could have caused PuTTY to overrun a string, but not in a security-bug sense because any such string would have to have been loaded from the configuration rather than received from a hostile source. [originally from svn r10123] --- ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssh.c b/ssh.c index f8fc1434..1333b678 100644 --- a/ssh.c +++ b/ssh.c @@ -4955,7 +4955,7 @@ static void ssh_setup_portfwd(Ssh ssh, Conf *conf) vp = val; vp2 = vp + host_strcspn(vp, ":"); host = dupprintf("%.*s", (int)(vp2 - vp), vp); - if (vp2) + if (*vp2) vp2++; dports = vp2; dport = atoi(dports);