diff options
| author |   djm <djm@openbsd.org> | 2016-09-26 21:16:11 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-09-26 21:16:11 +0000 |
| commit | c450860eb457d8c4a6725b32562fa8cf3cd28c38 (patch) | |
| tree | a75f4b23d0262371f973449e640764baf59f007e /usr.bin/ssh/sshkey.c | |
| parent | Avoid calculating offset several times. This was done for a few functions already, but not all of them. (diff) | |
| download | wireguard-openbsd-c450860eb457d8c4a6725b32562fa8cf3cd28c38.tar.xz wireguard-openbsd-c450860eb457d8c4a6725b32562fa8cf3cd28c38.zip | |
Avoid a theoretical signed integer overflow should BN_num_bytes()
ever violate its manpage and return a negative value. Improve
order of tests to avoid confusing increasingly pedantic compilers.
Reported by Guido Vranken from stack (css.csail.mit.edu/stack)
unstable optimisation analyser output. ok deraadt@
Diffstat (limited to 'usr.bin/ssh/sshkey.c')
| -rw-r--r-- | usr.bin/ssh/sshkey.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 9db78ea16f0..eaaeaddbca2 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.38 2016/09/12 23:31:27 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.39 2016/09/26 21:16:11 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -861,9 +861,12 @@ sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, int nlen = BN_num_bytes(k->rsa->n); int elen = BN_num_bytes(k->rsa->e); + if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } blob_len = nlen + elen; - if (nlen >= INT_MAX - elen || - (blob = malloc(blob_len)) == NULL) { + if ((blob = malloc(blob_len)) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } |