diff options
author | Damien Miller <djm@mindrot.org> | 2014-02-28 10:00:27 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-02-28 10:00:27 +1100 |
commit | f9a9aaba437c2787e40cf7cc928281950e161678 (patch) | |
tree | 862b9afbe79f83d23eaa5fc101a681b1f96fc90d /bufbn.c | |
parent | fb3423b612713d9cde67c8a75f6f51188d6a3de3 (diff) |
- djm@cvs.openbsd.org 2014/02/27 00:41:49
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
Diffstat (limited to 'bufbn.c')
-rw-r--r-- | bufbn.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.9 2014/02/02 03:44:31 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) return (-1); } bits = get_u16(buf); + if (bits > 65536-7) { + error("buffer_get_bignum_ret: cannot handle BN of size %d", + bits); + return (-1); + } /* Compute the number of binary bytes that follow. */ bytes = (bits + 7) / 8; if (bytes > 8 * 1024) { |