File 0002-CVE-2012-4562-Fix-multiple-integer-overflo... of Package libssh

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch of Package libssh

From db81310d719878cc04b23e4033fbe19fa0b1f8a3 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Mon, 28 Nov 2011 04:42:54 -0500
Subject: [PATCH 02/13] CVE-2012-4562: Fix multiple integer overflows in
 buffer-related functions.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/buffer.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

--- libssh-0.3.4/libssh/buffer.c.orig	2012-12-19 17:10:47.289370446 +0100
+++ libssh-0.3.4/libssh/buffer.c	2012-12-19 17:21:04.772277522 +0100
@@ -21,6 +21,7 @@
  * MA 02111-1307, USA.
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -111,6 +112,13 @@
  * \param len length of data
  */
 int buffer_add_data(struct buffer_struct *buffer, const void *data, u32 len) {
+
+  if (buffer->used + len < len)
+    return -1;
+
+  if (buffer->used - buffer->pos + len < len)
+    return -1;
+
   if (buffer->allocated < (buffer->used + len)) {
     if (realloc_buffer(buffer, buffer->used + len) < 0) {
       return -1;
@@ -265,7 +273,7 @@
  * \return new size of the buffer
  */
 u32 buffer_pass_bytes(struct buffer_struct *buffer, u32 len){
-    if(buffer->used < buffer->pos+len)
+    if (buffer->pos + len < len || buffer->used < buffer->pos + len)
         return 0;
     buffer->pos+=len;
     /* if the buffer is empty after having passed the whole bytes into it, we can clean it */
@@ -283,8 +291,11 @@
  * \return new size of the buffer
  */
 u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){
-    if(buffer->used < buffer->pos + len)
-        return 0;
+
+  if (buffer->used < len) {
+      return 0;
+  }
+
     buffer->used-=len;
     return len;
 }
@@ -356,7 +367,7 @@
   }
   hostlen = ntohl(stringlen);
   /* verify if there is enough space in buffer to get it */
-  if ((buffer->pos + hostlen) > buffer->used) {
+  if (buffer->pos + hostlen < hostlen || buffer->pos + hostlen > buffer->used) {
     return NULL; /* it is indeed */
   }
   str = string_new(hostlen);
@@ -389,7 +400,7 @@
   }
   bits = ntohs(bits);
   len = (bits + 7) / 8;
-  if ((buffer->pos + len) > buffer->used) {
+  if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
     return NULL;
   }
   str = string_new(len);

Places

File 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch of Package libssh

Places