Attachment #2853 for bug #2566




{
	struct session_state *state = ssh->state;
	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
	u_char tmp, padlen, pad = 0;
	u_int authlen = 0, aadlen = 0;
	u_int len;
	struct sshenc *enc   = NULL;

	if (padlen < 4)
		padlen += block_size;
	if (state->extra_pad) {
		tmp = state->extra_pad;
		state->extra_pad =
		    roundup(state->extra_pad, block_size);
		/* check if roundup overflowed */
		if (state->extra_pad < tmp)
			return SSH_ERR_INVALID_ARGUMENT;
		tmp = (len + padlen) % state->extra_pad;
		/* Check whether pad calculation below will underflow */
		if (tmp > state->extra_pad)
			return SSH_ERR_INVALID_ARGUMENT;
		pad = state->extra_pad - tmp;
		DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
		    __func__, pad, len, padlen, state->extra_pad));
		tmp = padlen;
		padlen += pad;
		/* Check whether padlen calculation overflowed */
		if (padlen < tmp)
			return SSH_ERR_INVALID_ARGUMENT; /* overflow */
		state->extra_pad = 0;
	}
	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)

Return to bug 2566

Lines 1160-1166 ssh_packet_send2_wrapped(struct ssh *ssh Link Here

(-)packet.c (-4 / +14 lines)
1160	{	1160	{
1161	struct session_state *state = ssh->state;	1161	struct session_state *state = ssh->state;
1162	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];	1162	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
1163	u_char padlen, pad = 0;	1163	u_char tmp, padlen, pad = 0;
1164	u_int authlen = 0, aadlen = 0;	1164	u_int authlen = 0, aadlen = 0;
1165	u_int len;	1165	u_int len;
1166	struct sshenc *enc = NULL;	1166	struct sshenc *enc = NULL;
Lines 1218-1231 ssh_packet_send2_wrapped(struct ssh *ssh Link Here
1218	if (padlen < 4)	1218	if (padlen < 4)
1219	padlen += block_size;	1219	padlen += block_size;
1220	if (state->extra_pad) {	1220	if (state->extra_pad) {
1221	/* will wrap if extra_pad+padlen > 255 */	1221	tmp = state->extra_pad;
1222	state->extra_pad =	1222	state->extra_pad =
1223	roundup(state->extra_pad, block_size);	1223	roundup(state->extra_pad, block_size);
1224	pad = state->extra_pad -	1224	/* check if roundup overflowed */
1225	((len + padlen) % state->extra_pad);	1225	if (state->extra_pad < tmp)
		1226	return SSH_ERR_INVALID_ARGUMENT;
		1227	tmp = (len + padlen) % state->extra_pad;
		1228	/* Check whether pad calculation below will underflow */
		1229	if (tmp > state->extra_pad)
		1230	return SSH_ERR_INVALID_ARGUMENT;
		1231	pad = state->extra_pad - tmp;
1226	DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",	1232	DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
1227	__func__, pad, len, padlen, state->extra_pad));	1233	__func__, pad, len, padlen, state->extra_pad));
		1234	tmp = padlen;
1228	padlen += pad;	1235	padlen += pad;
		1236	/* Check whether padlen calculation overflowed */
		1237	if (padlen < tmp)
		1238	return SSH_ERR_INVALID_ARGUMENT; /* overflow */
1229	state->extra_pad = 0;	1239	state->extra_pad = 0;
1230	}	1240	}
1231	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)	1241	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)