diff options
| author | Damien Miller <djm@mindrot.org> | 2002-06-26 19:14:08 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2002-06-26 19:14:08 +1000 |
| commit | aa15137c15d2fe6ca4d802c02c6f844072648936 (patch) | |
| tree | 9338776a0330d9d7b4830ba5e89a1f47983b1dc3 | |
| parent | f18cd162d310bbd69f272337e8adb57742d322c1 (diff) | |
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2002/06/26 08:53:12
[bufaux.c]
limit size of BNs to 8KB; ok provos/deraadt
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | bufaux.c | 12 |
2 files changed, 13 insertions, 5 deletions
@@ -35,6 +35,10 @@ - (stevesk) [README.privsep] more for sshd pseudo-account. - (tim) [contrib/caldera/openssh.spec] add support for privsep - (djm) setlogin needs pgid==pid on BSD/OS; from itojun@ + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2002/06/26 08:53:12 + [bufaux.c] + limit size of BNs to 8KB; ok provos/deraadt 20020625 - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh @@ -1134,4 +1138,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2289 2002/06/26 09:12:59 djm Exp $ +$Id: ChangeLog,v 1.2290 2002/06/26 09:14:08 djm Exp $ @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.26 2002/06/23 09:46:51 deraadt Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $"); #include <openssl/bn.h> #include "bufaux.h" @@ -88,6 +88,8 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) bits = GET_16BIT(buf); /* Compute the number of binary bytes that follow. */ bytes = (bits + 7) / 8; + if (bytes > 8 * 1024) + fatal("buffer_get_bignum: cannot handle BN of size %d", bytes); if (buffer_len(buffer) < bytes) fatal("buffer_get_bignum: input buffer too small"); bin = buffer_ptr(buffer); @@ -129,13 +131,15 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value) xfree(buf); } +/* XXX does not handle negative BNs */ void buffer_get_bignum2(Buffer *buffer, BIGNUM *value) { - /**XXX should be two's-complement */ - int len; - u_char *bin = buffer_get_string(buffer, (u_int *)&len); + u_int len; + u_char *bin = buffer_get_string(buffer, &len); + if (len > 8 * 1024) + fatal("buffer_get_bignum2: cannot handle BN of size %d", len); BN_bin2bn(bin, len, value); xfree(bin); } |