mirror of https://github.com/wolfSSL/wolfssh.git
Merge pull request #303 from guidovranken/27666
Use overflow-safe bounds checking in DoKexDhReplypull/309/head
commit
43d653867f
|
@ -2989,14 +2989,15 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
pubKeyIdx += scratch;
|
pubKeyIdx += scratch;
|
||||||
ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx);
|
ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx);
|
||||||
|
if (ret == WS_SUCCESS && eSz > len - pubKeyIdx)
|
||||||
|
ret = WS_BUFFER_E;
|
||||||
}
|
}
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
e = pubKey + pubKeyIdx;
|
e = pubKey + pubKeyIdx;
|
||||||
pubKeyIdx += eSz;
|
pubKeyIdx += eSz;
|
||||||
ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx);
|
ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx);
|
||||||
if (ret == WS_SUCCESS && (nSz + pubKeyIdx > len)) {
|
if (ret == WS_SUCCESS && nSz > len - pubKeyIdx)
|
||||||
ret = WS_BUFFER_E;
|
ret = WS_BUFFER_E;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (ret == WS_SUCCESS) {
|
if (ret == WS_SUCCESS) {
|
||||||
n = pubKey + pubKeyIdx;
|
n = pubKey + pubKeyIdx;
|
||||||
|
|
Loading…
Reference in New Issue