Skip to content

Commit

Permalink
FauxFauxGH-79: backport supposed fix for CVE-2013-4852
Browse files Browse the repository at this point in the history 
"Add an assortment of extra safety checks."

Direct cherry-pick of svn://svn.tartarus.org/sgt/putty@9896
  • Loading branch information
@FauxFaux
simon authored and FauxFaux committed Aug 5, 2013
1 parent 1513cc4 commit 76ba385
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 2 deletions.
2 changes: 1 addition & 1 deletion import.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, int len, struct mpint_pos *ret)
if (len < 4)
goto error;
bytes = GET_32BIT(d);
if (len < 4+bytes)
if (bytes < 0 || len-4 < bytes)
goto error;

ret->start = d + 4;
Expand Down
4 changes: 3 additions & 1 deletion sshdss.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
if (*length < 0)
return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
Expand Down Expand Up @@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int len)
}
#endif

if (!p || memcmp(p, "ssh-dss", 7)) {
if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
sfree(dss);
return NULL;
}
Expand Down
2 changes: 2 additions & 0 deletions sshrsa.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -526,6 +526,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
if (*length < 0)
return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
Expand Down

0 comments on commit 76ba385

Please sign in to comment.