From f9a9aaba437c2787e40cf7cc928281950e161678 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 28 Feb 2014 10:00:27 +1100 Subject: [PATCH] - djm@cvs.openbsd.org 2014/02/27 00:41:49 [bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@ --- ChangeLog | 7 +++++++ bufbn.c | 7 ++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7aa8a9f38..416f4b58c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20140228 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2014/02/27 00:41:49 + [bufbn.c] + fix unsigned overflow that could lead to reading a short ssh protocol + 1 bignum value; found by Ben Hawkes; ok deraadt@ + 20140227 - OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/02/26 20:18:37 diff --git a/bufbn.c b/bufbn.c index c4ad810e4..40e8ed4d5 100644 --- a/bufbn.c +++ b/bufbn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.9 2014/02/02 03:44:31 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) return (-1); } bits = get_u16(buf); + if (bits > 65536-7) { + error("buffer_get_bignum_ret: cannot handle BN of size %d", + bits); + return (-1); + } /* Compute the number of binary bytes that follow. */ bytes = (bits + 7) / 8; if (bytes > 8 * 1024) {