Bugzilla – Attachment 2813 Details for
Bug 2566
2 integer overflows in function ssh_packet_send2_wrapped()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
check padding calculations
bz2566.diff (text/plain), 1.12 KB, created by
Damien Miller
on 2016-05-03 23:28:51 AEST
(
hide
)
Description:
check padding calculations
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2016-05-03 23:28:51 AEST
Size:
1.12 KB
patch
obsolete
>diff --git a/packet.c b/packet.c >index b03d3f4..b89f1fb 100644 >--- a/packet.c >+++ b/packet.c >@@ -1160,7 +1160,7 @@ ssh_packet_send2_wrapped(struct ssh *ssh) > { > struct session_state *state = ssh->state; > u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH]; >- u_char padlen, pad = 0; >+ u_int padlen, pad = 0; > u_int authlen = 0, aadlen = 0; > u_int len; > struct sshenc *enc = NULL; >@@ -1218,13 +1218,18 @@ ssh_packet_send2_wrapped(struct ssh *ssh) > if (padlen < 4) > padlen += block_size; > if (state->extra_pad) { >- /* will wrap if extra_pad+padlen > 255 */ >- state->extra_pad = >- roundup(state->extra_pad, block_size); >- pad = state->extra_pad - >- ((len + padlen) % state->extra_pad); >+ state->extra_pad = roundup(state->extra_pad, block_size); >+ if (state->extra_pad == 0) { >+ r = SSH_ERR_INTERNAL_ERROR; >+ goto out; >+ } >+ pad = state->extra_pad - ((len + padlen) % state->extra_pad); > DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)", > __func__, pad, len, padlen, state->extra_pad)); >+ if (pad > 255) { >+ r = SSH_ERR_INTERNAL_ERROR; >+ goto out; >+ } > padlen += pad; > state->extra_pad = 0; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2566
:
2813
|
2853