diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-09-26 21:16:11 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-09-29 03:09:50 +1000 |
commit | 27c3a9c2aede2184856b5de1e6eca414bb751c38 (patch) | |
tree | 34a9759716c46966590012352871034d038904fd | |
parent | 8663e51c80c6aa3d750c6d3bcff6ee05091922be (diff) |
upstream commit
Avoid a theoretical signed integer overflow should
BN_num_bytes() ever violate its manpage and return a negative value. Improve
order of tests to avoid confusing increasingly pedantic compilers.
Reported by Guido Vranken from stack (css.csail.mit.edu/stack)
unstable optimisation analyser output. ok deraadt@
Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
-rw-r--r-- | sshkey.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.38 2016/09/12 23:31:27 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.39 2016/09/26 21:16:11 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -887,9 +887,12 @@ sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, | |||
887 | int nlen = BN_num_bytes(k->rsa->n); | 887 | int nlen = BN_num_bytes(k->rsa->n); |
888 | int elen = BN_num_bytes(k->rsa->e); | 888 | int elen = BN_num_bytes(k->rsa->e); |
889 | 889 | ||
890 | if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) { | ||
891 | r = SSH_ERR_INVALID_FORMAT; | ||
892 | goto out; | ||
893 | } | ||
890 | blob_len = nlen + elen; | 894 | blob_len = nlen + elen; |
891 | if (nlen >= INT_MAX - elen || | 895 | if ((blob = malloc(blob_len)) == NULL) { |
892 | (blob = malloc(blob_len)) == NULL) { | ||
893 | r = SSH_ERR_ALLOC_FAIL; | 896 | r = SSH_ERR_ALLOC_FAIL; |
894 | goto out; | 897 | goto out; |
895 | } | 898 | } |