[Bug 2566] 2 integer overflows in function ssh_packet_send2_wrapped()

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed May 4 18:28:42 AEST 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2566

--- Comment #2 from Torben <Torben.Hansen.2015 at rhul.ac.uk> ---
Hi Damien,

This patch would prevent any integer overflows. But by promoting padlen
to u_int you now open up for the possibility of having padlen > 255
(which do happen for the same values that would make the variable wrap
in the first case). I'm not sure what consequences it has for the
execution of the code following the extra padding computation. It is
nonetheless illegal to have more than 255 bytes of padding according to
RFC 4253 section 6. 

Checking if padlen + pad > 255 (instead of just pad > 255) would
prevent this problem. 

Cheers,
Torben

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list