mirror of https://github.com/wolfSSL/wolfssh.git
Use overflow-safe bounds checking in DoKexDhReply
Resolves OSS-Fuzz issue 27666 (see ZD 11429)pull/303/head
parent
707312065b
commit
0484497905
|
@ -2989,14 +2989,15 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
|||
if (ret == WS_SUCCESS) {
|
||||
pubKeyIdx += scratch;
|
||||
ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx);
|
||||
if (ret == WS_SUCCESS && eSz > len - pubKeyIdx)
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
if (ret == WS_SUCCESS) {
|
||||
e = pubKey + pubKeyIdx;
|
||||
pubKeyIdx += eSz;
|
||||
ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx);
|
||||
if (ret == WS_SUCCESS && (nSz + pubKeyIdx > len)) {
|
||||
if (ret == WS_SUCCESS && nSz > len - pubKeyIdx)
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
if (ret == WS_SUCCESS) {
|
||||
n = pubKey + pubKeyIdx;
|
||||
|
|
Loading…
Reference in New Issue