lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-08-07 08:02:55 +03:00
Code Activity

CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().

Browse Source 
If needed is bigger than the highest power of two or a which fits in an
integer we will loop forever.
This commit is contained in:
Andreas Schneider
2012-10-12 11:35:20 +02:00
parent ad5f306884
commit f61813eaea
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/buffer.c
View File

@@ -111,13 +111,18 @@ void ssh_buffer_free(struct ssh_buffer_struct *buffer) {
SAFE_FREE(buffer); SAFE_FREE(buffer);
} }
static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) { static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) {
int smallest = 1; size_t smallest = 1;
char *new = NULL; char *new;
buffer_verify(buffer); buffer_verify(buffer);
/* Find the smallest power of two which is greater or equal to needed */ /* Find the smallest power of two which is greater or equal to needed */
while(smallest <= needed) { while(smallest <= needed) {
smallest <<= 1; if (smallest == 0) {
return -1;
}
smallest <<= 1;
} }
needed = smallest; needed = smallest;
new = realloc(buffer->data, needed); new = realloc(buffer->data, needed);