]> asedeno.scripts.mit.edu Git - PuTTY.git/commitdiff
projects / PuTTY.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ac8baf4)
Add an assortment of extra safety checks.
authorSimon Tatham <anakin@pobox.com>
Mon, 8 Jul 2013 22:36:04 +0000 (22:36 +0000)
committerSimon Tatham <anakin@pobox.com>
Mon, 8 Jul 2013 22:36:04 +0000 (22:36 +0000)
[originally from svn r9896]

import.c patch | blob | history
sshdss.c patch | blob | history
sshrsa.c patch | blob | history

diff --git a/import.c b/import.c
index bb863d778a45e33fe23e502df8bdfe2b9da3790d..ce957bc40d698789cafef6e73d13380d9816ef13 100644 (file)
--- a/import.c
+++ b/import.c
@@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, int len, struct mpint_pos *ret)
     if (len < 4)
         goto error;
     bytes = GET_32BIT(d);
-    if (len < 4+bytes)
+    if (bytes < 0 || len-4 < bytes)
         goto error;
 
     ret->start = d + 4;
diff --git a/sshdss.c b/sshdss.c
index 6cf5830d5bc64994b2ab6ec0aae3d0118834a5b5..1f15cee9f92a43767859451fdfa9dd75585f4354 100644 (file)
--- a/sshdss.c
+++ b/sshdss.c
@@ -43,6 +43,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     if (*datalen < 4)
        return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int len)
     }
 #endif
 
-    if (!p || memcmp(p, "ssh-dss", 7)) {
+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
        sfree(dss);
        return NULL;
     }
diff --git a/sshrsa.c b/sshrsa.c
index 77a6bb250cec41c11b2e4df6ccac28aef1c7ab5a..163a92b089e09e36875877e6b1a1499215c1507d 100644 (file)
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -526,6 +526,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     if (*datalen < 4)
        return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
local copy of git://git.tartarus.org/simon/putty.git