RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/02/27 00:41:49 

[bufbn.c]
     fix unsigned overflow that could lead to reading a short ssh protocol
     1 bignum value; found by Ben Hawkes; ok deraadt@
This commit is contained in:
Damien Miller 2014-02-28 10:00:27 +11:00
parent fb3423b612
commit f9a9aaba43
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
20140228
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/02/27 00:41:49
[bufbn.c]
fix unsigned overflow that could lead to reading a short ssh protocol
1 bignum value; found by Ben Hawkes; ok deraadt@
20140227 20140227
- OpenBSD CVS Sync - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/02/26 20:18:37 - djm@cvs.openbsd.org 2014/02/26 20:18:37

7
bufbn.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bufbn.c,v 1.9 2014/02/02 03:44:31 djm Exp $*/ /* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
return (-1); return (-1);
} }
bits = get_u16(buf); bits = get_u16(buf);
if (bits > 65536-7) {
error("buffer_get_bignum_ret: cannot handle BN of size %d",
bits);
return (-1);
}
/* Compute the number of binary bytes that follow. */ /* Compute the number of binary bytes that follow. */
bytes = (bits + 7) / 8; bytes = (bits + 7) / 8;
if (bytes > 8 * 1024) { if (bytes > 8 * 1024) {