diff options
| author | Werner Koch <[email protected]> | 2015-03-15 12:04:48 +0000 |
|---|---|---|
| committer | NIIBE Yutaka <[email protected]> | 2015-04-15 07:07:08 +0000 |
| commit | a838e8f806693e9403541f482b58b66c606e376b (patch) | |
| tree | f41fe3e6e06da3ac14817e983a073414b38c7f26 | |
| parent | scd: Fix possible NULL deref in apdu.c (diff) | |
| download | gnupg-a838e8f806693e9403541f482b58b66c606e376b.tar.gz gnupg-a838e8f806693e9403541f482b58b66c606e376b.zip | |
agent: Fix length test in sshcontrol parser.
* agent/command-ssh.c (ssh_search_control_file): Check S before
upcasing it.
--
In contradiction to the comment we did not check the length of HEXGRIP
and thus the GPG_ERR_INV_LENGTH was never triggered.
Detected by Stack 0.3:
bug: anti-simplify
model: |
%cmp8 = icmp ne i32 %i.0, 40, !dbg !986
--> false
stack:
- /home/wk/s/gnupg/agent/command-ssh.c:1226:0
ncore: 2
core:
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
(backported from 2.1 commit 3529dd8bb5bafc4e02915648d5f409bd27a9cc37)
| -rw-r--r-- | agent/command-ssh.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/agent/command-ssh.c b/agent/command-ssh.c index 3583ea068..ea6080ae7 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -1113,7 +1113,7 @@ ssh_search_control_file (ssh_control_file_t cf, /* We need to make sure that HEXGRIP is all uppercase. The easiest way to do this and also check its length is by copying to a second buffer. */ - for (i=0, s=hexgrip; i < 40; s++, i++) + for (i=0, s=hexgrip; i < 40 && *s; s++, i++) uphexgrip[i] = *s >= 'a'? (*s & 0xdf): *s; uphexgrip[i] = 0; if (i != 40) |