From 19467455fe7840ab146f47136c88f61c87365e8c Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Wed, 25 Jan 2017 19:47:08 +0000
Subject: [PATCH] Fix an integer overflow in get_ssh_string.

If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.
---
 misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc.c b/misc.c
index ed6290f5..5fd58a13 100644
--- a/misc.c
+++ b/misc.c
@@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen)
     if (*datalen < 4)
         return NULL;
     len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
-    if (*datalen < len+4)
+    if (*datalen - 4 < len)
         return NULL;
     ret = (void *)((const char *)*data + 4);
     *datalen -= len + 4;
-- 
2.45.1