diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-10-09 00:02:57 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-10-09 11:11:41 +1100 |
commit | a546b17bbaeb12beac4c9aeed56f74a42b18a93a (patch) | |
tree | 0a3a1e76a944f5aa52e4f32dfe819884fd094cac | |
parent | c2cc25480ba36ab48c1a577bebb12493865aad87 (diff) |
upstream: fix integer overflow in XMSS private key parsing.
Reported by Adam Zabrocki via SecuriTeam's SSH program.
Note that this code is experimental and not compiled by default.
ok markus@
OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
-rw-r--r-- | sshkey-xmss.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sshkey-xmss.c b/sshkey-xmss.c index a29e33f39..9e5f5e475 100644 --- a/sshkey-xmss.c +++ b/sshkey-xmss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey-xmss.c,v 1.5 2019/06/28 13:35:04 deraadt Exp $ */ | 1 | /* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2017 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2017 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded, | |||
977 | goto out; | 977 | goto out; |
978 | } | 978 | } |
979 | /* check that an appropriate amount of auth data is present */ | 979 | /* check that an appropriate amount of auth data is present */ |
980 | if (sshbuf_len(encoded) < encrypted_len + authlen) { | 980 | if (sshbuf_len(encoded) < authlen || |
981 | sshbuf_len(encoded) - authlen < encrypted_len) { | ||
981 | r = SSH_ERR_INVALID_FORMAT; | 982 | r = SSH_ERR_INVALID_FORMAT; |
982 | goto out; | 983 | goto out; |
983 | } | 984 | } |