Overview

File 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch of Package libssh.openSUSE_12.1_Update

From 59a6f5f7338f26efff6c57dc6853c830218664e7 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Mon, 28 Nov 2011 04:42:54 -0500
Subject: [PATCH 02/11] CVE-2012-4562: Fix multiple integer overflows in
 buffer-related functions.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit ac1ef5d2caa8cb6e44c353ff542af09529bc94e8)
---
 src/buffer.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 27d2592..9e93a4a 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -21,6 +21,7 @@
  * MA 02111-1307, USA.
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -180,6 +181,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) {
  */
 int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
   buffer_verify(buffer);
+
+  if (buffer->used + len < len)
+    return -1;
+
   if (buffer->allocated < (buffer->used + len)) {
     if(buffer->pos > 0)
       buffer_shift(buffer);
@@ -318,6 +323,8 @@ int buffer_prepend_data(struct ssh_buffer_struct *buffer, const void *data,
     return 0;
   }
   /* pos isn't high enough */
+  if (buffer->used - buffer->pos + len < len)
+    return -1;
   if (buffer->allocated < (buffer->used - buffer->pos + len)) {
     if (realloc_buffer(buffer, buffer->used - buffer->pos + len) < 0) {
       return -1;
@@ -429,7 +436,7 @@ uint32_t buffer_get_rest_len(struct ssh_buffer_struct *buffer){
  */
 uint32_t buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){
     buffer_verify(buffer);
-    if(buffer->used < buffer->pos+len)
+    if (buffer->pos + len < len || buffer->used < buffer->pos + len)
         return 0;
     buffer->pos+=len;
     /* if the buffer is empty after having passed the whole bytes into it, we can clean it */
@@ -454,8 +461,11 @@ uint32_t buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){
  */
 uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){
   buffer_verify(buffer);
-  if(buffer->used < buffer->pos + len)
-    return 0;
+
+  if (buffer->used < len) {
+      return 0;
+  }
+
   buffer->used-=len;
   buffer_verify(buffer);
   return len;
@@ -548,7 +558,7 @@ struct ssh_string_struct *buffer_get_ssh_string(struct ssh_buffer_struct *buffer
   }
   hostlen = ntohl(stringlen);
   /* verify if there is enough space in buffer to get it */
-  if ((buffer->pos + hostlen) > buffer->used) {
+  if (buffer->pos + hostlen < hostlen || buffer->pos + hostlen > buffer->used) {
     return NULL; /* it is indeed */
   }
   str = ssh_string_new(hostlen);
@@ -585,7 +595,7 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) {
   }
   bits = ntohs(bits);
   len = (bits + 7) / 8;
-  if ((buffer->pos + len) > buffer->used) {
+  if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
     return NULL;
   }
   str = ssh_string_new(len);
-- 
1.7.10.4
openSUSE Build Service is sponsored by
Places