WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use overflow-safe bounds checking in DoKexDhReply 

Resolves OSS-Fuzz issue 27666 (see ZD 11429)
pull/303/head
Guido Vranken 2021-01-03 01:12:28 +01:00
parent 707312065b
commit 0484497905
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/internal.c
View File

@ -2989,14 +2989,15 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
if (ret == WS_SUCCESS) {
pubKeyIdx += scratch;
ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx);
if (ret == WS_SUCCESS && eSz > len - pubKeyIdx)
ret = WS_BUFFER_E;
}
if (ret == WS_SUCCESS) {
e = pubKey + pubKeyIdx;
pubKeyIdx += eSz;
ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx);
if (ret == WS_SUCCESS && (nSz + pubKeyIdx > len)) {
if (ret == WS_SUCCESS && nSz > len - pubKeyIdx)
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
n = pubKey + pubKeyIdx;