lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-11-18 15:20:56 +03:00
Code Activity

agent: handle overly large comment lengths (#651)

Browse Source 
Reported-by: Harry Sintonen
This commit is contained in:
Daniel Stenberg
2021-12-17 17:56:29 +01:00
committed by GitHub
parent 37ee0aa214
commit 552e20df38
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/agent.c
View File

@@ -1,6 +1,6 @@
/* /*
* Copyright (c) 2009 by Daiki Ueno * Copyright (c) 2009 by Daiki Ueno
* Copyright (C) 2010-2014 by Daniel Stenberg * Copyright (C) 2010-2021 by Daniel Stenberg
* All rights reserved. * All rights reserved.
* *
* Redistribution and use in source and binary forms, * Redistribution and use in source and binary forms,
@@ -541,7 +541,7 @@ agent_list_identities(LIBSSH2_AGENT *agent)
while(num_identities--) { while(num_identities--) {
struct agent_publickey *identity; struct agent_publickey *identity;
ssize_t comment_len; size_t comment_len;
/* Read the length of the blob */ /* Read the length of the blob */
len -= 4; len -= 4;
@@ -586,14 +586,14 @@ agent_list_identities(LIBSSH2_AGENT *agent)
comment_len = _libssh2_ntohu32(s); comment_len = _libssh2_ntohu32(s);
s += 4; s += 4;
/* Read the comment */ if(comment_len > (size_t)len) {
len -= comment_len;
if(len < 0) {
rc = LIBSSH2_ERROR_AGENT_PROTOCOL; rc = LIBSSH2_ERROR_AGENT_PROTOCOL;
LIBSSH2_FREE(agent->session, identity->external.blob); LIBSSH2_FREE(agent->session, identity->external.blob);
LIBSSH2_FREE(agent->session, identity); LIBSSH2_FREE(agent->session, identity);
goto error; goto error;
} }
/* Read the comment */
len -= comment_len;
identity->external.comment = LIBSSH2_ALLOC(agent->session, identity->external.comment = LIBSSH2_ALLOC(agent->session,
comment_len + 1); comment_len + 1);