If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.
if (*datalen < 4)
return NULL;
len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
- if (*datalen < len+4)
+ if (*datalen - 4 < len)
return NULL;
ret = (void *)((const char *)*data + 4);
*datalen -= len + 4;