- (djm) OpenBSD CVS Sync

   - markus@cvs.openbsd.org 2002/06/26 08:53:12
     [bufaux.c]
     limit size of BNs to 8KB; ok provos/deraadt

1 files changed, 8 insertions, 4 deletions

diff --git a/bufaux.c b/bufaux.c
index 80abe890..d3dc674c 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.26 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $");
 
 #include <openssl/bn.h>
 #include "bufaux.h"
@@ -88,6 +88,8 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
 	bits = GET_16BIT(buf);
 	/* Compute the number of binary bytes that follow. */
 	bytes = (bits + 7) / 8;
+	if (bytes > 8 * 1024)
+		fatal("buffer_get_bignum: cannot handle BN of size %d", bytes);
 	if (buffer_len(buffer) < bytes)
 		fatal("buffer_get_bignum: input buffer too small");
 	bin = buffer_ptr(buffer);
@@ -129,13 +131,15 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
 	xfree(buf);
 }
 
+/* XXX does not handle negative BNs */
 void
 buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
 {
-	/**XXX should be two's-complement */
-	int len;
-	u_char *bin = buffer_get_string(buffer, (u_int *)&len);
+	u_int len;
+	u_char *bin = buffer_get_string(buffer, &len);
 
+	if (len > 8 * 1024)
+		fatal("buffer_get_bignum2: cannot handle BN of size %d", len);
 	BN_bin2bn(bin, len, value);
 	xfree(bin);
 }