lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-29 01:03:57 +03:00
Code Activity

buffer: Validate the length before before memory allocation

Browse Source 
Check if the size the other party sent is a valid size in the
transmitted buffer.

Thanks to Alex Gaynor for finding and reporting the issue.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider
2017-02-23 16:24:17 +01:00
parent c165c396de
commit 68b7ca6e92
1 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/buffer.c
View File

@@ -854,10 +854,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
char **cstring; char **cstring;
void **data; void **data;
} o; } o;
size_t len, rlen; size_t len, rlen, max_len;
va_list ap_copy; va_list ap_copy;
int count; int count;
max_len = ssh_buffer_get_len(buffer);
/* copy the argument list in case a rollback is needed */ /* copy the argument list in case a rollback is needed */
va_copy(ap_copy, ap); va_copy(ap_copy, ap);
@@ -909,10 +911,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
break; break;
} }
len = ntohl(u32len); len = ntohl(u32len);
if (len > UINT_MAX - 1){ if (len > max_len - 1) {
rc = SSH_ERROR; rc = SSH_ERROR;
break; break;
} }
rc = ssh_buffer_validate_length(buffer, len);
if (rc != SSH_OK) {
break;
}
*o.cstring = malloc(len + 1); *o.cstring = malloc(len + 1);
if (*o.cstring == NULL){ if (*o.cstring == NULL){
rc = SSH_ERROR; rc = SSH_ERROR;
@@ -931,6 +939,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
} }
case 'P': case 'P':
len = va_arg(ap, size_t); len = va_arg(ap, size_t);
if (len > max_len - 1) {
rc = SSH_ERROR;
break;
}
rc = ssh_buffer_validate_length(buffer, len);
if (rc != SSH_OK) {
break;
}
o.data = va_arg(ap, void **); o.data = va_arg(ap, void **);
count++; count++;