[openssh-commits] [openssh] 01/03: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Sep 29 03:20:32 AEST 2016


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 27c3a9c2aede2184856b5de1e6eca414bb751c38
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Sep 26 21:16:11 2016 +0000

    upstream commit
    
    Avoid a theoretical signed integer overflow should
    BN_num_bytes() ever violate its manpage and return a negative value. Improve
    order of tests to avoid confusing increasingly pedantic compilers.
    
    Reported by Guido Vranken from stack (css.csail.mit.edu/stack)
    unstable optimisation analyser output.  ok deraadt@
    
    Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
---
 sshkey.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sshkey.c b/sshkey.c
index e6df94a..f719772 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.38 2016/09/12 23:31:27 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.39 2016/09/26 21:16:11 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -887,9 +887,12 @@ sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
 		int nlen = BN_num_bytes(k->rsa->n);
 		int elen = BN_num_bytes(k->rsa->e);
 
+		if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) {
+			r = SSH_ERR_INVALID_FORMAT;
+			goto out;
+		}
 		blob_len = nlen + elen;
-		if (nlen >= INT_MAX - elen ||
-		    (blob = malloc(blob_len)) == NULL) {
+		if ((blob = malloc(blob_len)) == NULL) {
 			r = SSH_ERR_ALLOC_FAIL;
 			goto out;
 		}

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list