diff options
| author | Werner Koch <[email protected]> | 2015-03-15 12:04:48 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2015-03-15 12:04:48 +0000 |
| commit | 3529dd8bb5bafc4e02915648d5f409bd27a9cc37 (patch) | |
| tree | 9ee1854bee1818226808ebc8f78d81edfb275924 | |
| parent | agent: Remove useless conditions. (diff) | |
| download | gnupg-3529dd8bb5bafc4e02915648d5f409bd27a9cc37.tar.gz gnupg-3529dd8bb5bafc4e02915648d5f409bd27a9cc37.zip | |
agent: Fix length test in sshcontrol parser.
* agent/command-ssh.c (ssh_search_control_file): Check S before
upcasing it.
--
In contradiction to the comment we did not check the length of HEXGRIP
and thus the GPG_ERR_INV_LENGTH was never triggered.
Detected by Stack 0.3:
bug: anti-simplify
model: |
%cmp8 = icmp ne i32 %i.0, 40, !dbg !986
--> false
stack:
- /home/wk/s/gnupg/agent/command-ssh.c:1226:0
ncore: 2
core:
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
| -rw-r--r-- | agent/command-ssh.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/agent/command-ssh.c b/agent/command-ssh.c index 2b5120763..fffdb00d9 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -1220,7 +1220,7 @@ ssh_search_control_file (ssh_control_file_t cf, /* We need to make sure that HEXGRIP is all uppercase. The easiest way to do this and also check its length is by copying to a second buffer. */ - for (i=0, s=hexgrip; i < 40; s++, i++) + for (i=0, s=hexgrip; i < 40 && *s; s++, i++) uphexgrip[i] = *s >= 'a'? (*s & 0xdf): *s; uphexgrip[i] = 0; if (i != 40) |