Fix an integer overflow in get_ssh_string.

If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.

diff --git a/misc.c b/misc.c
index ed6290f52eee9eb81af4ea5bbf65021fe039f929..5fd58a131550d7f0bd9c5429b9ab4339f8f461d1 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen)
     if (*datalen < 4)
         return NULL;
     len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
-    if (*datalen < len+4)
+    if (*datalen - 4 < len)
         return NULL;
     ret = (void *)((const char *)*data + 4);
     *datalen -= len + 4;