WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #303 from guidovranken/27666 

Use overflow-safe bounds checking in DoKexDhReply
pull/309/head
David Garske 2021-01-13 07:13:29 -08:00 committed by GitHub
parent 707312065b 0484497905
commit 43d653867f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/internal.c
View File

@ -2989,14 +2989,15 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
pubKeyIdx += scratch; pubKeyIdx += scratch;
ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx); ret = GetUint32(&eSz, pubKey, pubKeySz, &pubKeyIdx);
if (ret == WS_SUCCESS && eSz > len - pubKeyIdx)
ret = WS_BUFFER_E;
} }
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
e = pubKey + pubKeyIdx; e = pubKey + pubKeyIdx;
pubKeyIdx += eSz; pubKeyIdx += eSz;
ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx); ret = GetUint32(&nSz, pubKey, pubKeySz, &pubKeyIdx);
if (ret == WS_SUCCESS && (nSz + pubKeyIdx > len)) { if (ret == WS_SUCCESS && nSz > len - pubKeyIdx)
ret = WS_BUFFER_E; ret = WS_BUFFER_E;
}
} }
if (ret == WS_SUCCESS) { if (ret == WS_SUCCESS) {
n = pubKey + pubKeyIdx; n = pubKey + pubKeyIdx;