lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-29 01:03:57 +03:00
Code Activity

Fix buffer overflow in generate_cookie()

Browse Source 
Signed-off-by: Andreas Schneider <mail@cynapses.org>
This commit is contained in:
milo
2009-08-07 12:13:29 +02:00
committed by Andreas Schneider
parent ec02ce0ec2
commit 3ad559cc23
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libssh/channels.c
View File

@@ -1257,8 +1257,9 @@ int channel_request_sftp( ssh_channel channel){
return channel_request_subsystem(channel, "sftp"); return channel_request_subsystem(channel, "sftp");
} }
static void generate_cookie(char *s) { static ssh_string generate_cookie(void) {
static const char *hex = "0123456789abcdef"; static const char *hex = "0123456789abcdef";
char s[36];
int i; int i;
srand ((unsigned int)time(NULL)); srand ((unsigned int)time(NULL));
@@ -1266,6 +1267,7 @@ static void generate_cookie(char *s) {
s[i] = hex[rand() % 16]; s[i] = hex[rand() % 16];
} }
s[32] = '\0'; s[32] = '\0';
return string_from_char(s);
} }
/** /**
@@ -1296,7 +1298,6 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char *
ssh_buffer buffer = NULL; ssh_buffer buffer = NULL;
ssh_string p = NULL; ssh_string p = NULL;
ssh_string c = NULL; ssh_string c = NULL;
char s[32];
int rc = SSH_ERROR; int rc = SSH_ERROR;
buffer = buffer_new(); buffer = buffer_new();
@@ -1312,8 +1313,7 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char *
if (cookie) { if (cookie) {
c = string_from_char(cookie); c = string_from_char(cookie);
} else { } else {
generate_cookie(s); c = generate_cookie();
c = string_from_char(s);
} }
if (c == NULL) { if (c == NULL) {
goto error; goto error;