Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
libssh
0002-CVE-2012-4562-Fix-multiple-integer-overflo...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch of Package libssh
From db81310d719878cc04b23e4033fbe19fa0b1f8a3 Mon Sep 17 00:00:00 2001 From: Xi Wang <xi.wang@gmail.com> Date: Mon, 28 Nov 2011 04:42:54 -0500 Subject: [PATCH 02/13] CVE-2012-4562: Fix multiple integer overflows in buffer-related functions. Signed-off-by: Andreas Schneider <asn@cryptomilk.org> --- src/buffer.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) --- libssh-0.3.4/libssh/buffer.c.orig 2012-12-19 17:10:47.289370446 +0100 +++ libssh-0.3.4/libssh/buffer.c 2012-12-19 17:21:04.772277522 +0100 @@ -21,6 +21,7 @@ * MA 02111-1307, USA. */ +#include <limits.h> #include <stdlib.h> #include <string.h> @@ -111,6 +112,13 @@ * \param len length of data */ int buffer_add_data(struct buffer_struct *buffer, const void *data, u32 len) { + + if (buffer->used + len < len) + return -1; + + if (buffer->used - buffer->pos + len < len) + return -1; + if (buffer->allocated < (buffer->used + len)) { if (realloc_buffer(buffer, buffer->used + len) < 0) { return -1; @@ -265,7 +273,7 @@ * \return new size of the buffer */ u32 buffer_pass_bytes(struct buffer_struct *buffer, u32 len){ - if(buffer->used < buffer->pos+len) + if (buffer->pos + len < len || buffer->used < buffer->pos + len) return 0; buffer->pos+=len; /* if the buffer is empty after having passed the whole bytes into it, we can clean it */ @@ -283,8 +291,11 @@ * \return new size of the buffer */ u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){ - if(buffer->used < buffer->pos + len) - return 0; + + if (buffer->used < len) { + return 0; + } + buffer->used-=len; return len; } @@ -356,7 +367,7 @@ } hostlen = ntohl(stringlen); /* verify if there is enough space in buffer to get it */ - if ((buffer->pos + hostlen) > buffer->used) { + if (buffer->pos + hostlen < hostlen || buffer->pos + hostlen > buffer->used) { return NULL; /* it is indeed */ } str = string_new(hostlen); @@ -389,7 +400,7 @@ } bits = ntohs(bits); len = (bits + 7) / 8; - if ((buffer->pos + len) > buffer->used) { + if (buffer->pos + len < len || buffer->pos + len > buffer->used) { return NULL; } str = string_new(len);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor