- djm@cvs.openbsd.org 2014/02/27 00:41:49

[bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@
author: Damien Miller <djm@mindrot.org> 2014-02-28 10:00:27 +1100
committer: Damien Miller <djm@mindrot.org> 2014-02-28 10:00:27 +1100
commit: f9a9aaba437c2787e40cf7cc928281950e161678 (patch)
tree: 862b9afbe79f83d23eaa5fc101a681b1f96fc90d /bufbn.c
parent: fb3423b612713d9cde67c8a75f6f51188d6a3de3 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/bufbn.c b/bufbn.c
index c4ad810e..40e8ed4d 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufbn.c,v 1.9 2014/02/02 03:44:31 djm Exp $*/
+/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
 		return (-1);
 	}
 	bits = get_u16(buf);
+	if (bits > 65536-7) {
+		error("buffer_get_bignum_ret: cannot handle BN of size %d",
+		    bits);
+		return (-1);
+	}
 	/* Compute the number of binary bytes that follow. */
 	bytes = (bits + 7) / 8;
 	if (bytes > 8 * 1024) {
author	Damien Miller <djm@mindrot.org>	2014-02-28 10:00:27 +1100
committer	Damien Miller <djm@mindrot.org>	2014-02-28 10:00:27 +1100
commit	f9a9aaba437c2787e40cf7cc928281950e161678 (patch)
tree	862b9afbe79f83d23eaa5fc101a681b1f96fc90d /bufbn.c
parent	fb3423b612713d9cde67c8a75f6f51188d6a3de3 (diff)