[openssh-commits] [openssh] 04/07: upstream: fix integer overflow in XMSS private key parsing.

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch V_8_1
in repository openssh.

commit a546b17bbaeb12beac4c9aeed56f74a42b18a93a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Oct 9 00:02:57 2019 +0000

    upstream: fix integer overflow in XMSS private key parsing.
    
    Reported by Adam Zabrocki via SecuriTeam's SSH program.
    
    Note that this code is experimental and not compiled by default.
    
    ok markus@
    
    OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
---
 sshkey-xmss.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sshkey-xmss.c b/sshkey-xmss.c
index a29e33f3..9e5f5e47 100644
--- a/sshkey-xmss.c
+++ b/sshkey-xmss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey-xmss.c,v 1.5 2019/06/28 13:35:04 deraadt Exp $ */
+/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
 /*
  * Copyright (c) 2017 Markus Friedl.  All rights reserved.
  *
@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
 		goto out;
 	}
 	/* check that an appropriate amount of auth data is present */
-	if (sshbuf_len(encoded) < encrypted_len + authlen) {
+	if (sshbuf_len(encoded) < authlen ||
+	    sshbuf_len(encoded) - authlen < encrypted_len) {
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.