Fix a potential crash in ssh_setup_portfwd.

If we search for a colon by computing ptr + host_strcspn(ptr,":"),
then the resulting pointer is always non-NULL, and the 'not found'
condition is not !p but !*p.

This typo could have caused PuTTY to overrun a string, but not in a
security-bug sense because any such string would have to have been
loaded from the configuration rather than received from a hostile
source.

[originally from svn r10123]

diff --git a/ssh.c b/ssh.c
index f8fc14348b8e70eb75b143b962c85267361aa221..1333b6783ac681ed5fc73513b50c488e5eead2da 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -4955,7 +4955,7 @@ static void ssh_setup_portfwd(Ssh ssh, Conf *conf)
            vp = val;
            vp2 = vp + host_strcspn(vp, ":");
            host = dupprintf("%.*s", (int)(vp2 - vp), vp);
-           if (vp2)
+           if (*vp2)
                vp2++;
            dports = vp2;
            dport = atoi(dports);