options.c: Add validation against negative rsa min size

The argument for RSA_MIN_SIZE ssh and sshbind option is of (int *) type, and hence the caller can supply a pointer to a location storing a negative value. The commit adds a check to not allow minimum rsa key size to be set to a negative value. Signed-off-by: Eshan Kelkar <eshankelkar@galorithm.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2025-12-14 04:18:54 +03:00 · 2024-05-14 15:20:17 +05:30
parent 414a276d2b
commit e1a64c924d
1 changed files with 16 additions and 0 deletions
--- a/src/options.c
+++ b/src/options.c
@@ -1217,6 +1217,14 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                return -1;
            } else {
                int *x = (int *)value;
+
+                if (*x < 0) {
+                    ssh_set_error_invalid(session);
+                    return -1;
+                }
+
+                /* (*x == 0) is allowed as it is used to revert to default */
+
                if (*x > 0 && *x < 768) {
                    ssh_set_error(session, SSH_REQUEST_DENIED,
                                  "The provided value (%d) for minimal RSA key "
@@ -2468,6 +2476,14 @@ ssh_bind_options_set(ssh_bind sshbind,
            return -1;
        } else {
            int *x = (int *)value;
+
+            if (*x < 0) {
+                ssh_set_error_invalid(sshbind);
+                return -1;
+            }
+
+            /* (*x == 0) is allowed as it is used to revert to default */
+
            if (*x > 0 && *x < 768) {
                ssh_set_error(sshbind,
                              SSH_REQUEST_DENIED,