diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-26 08:53:13 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-26 08:53:13 +0000 |
| commit | e76c68e4af119c0e1cb257f1ba31a88ee49832f0 (patch) | |
| tree | 0adb1b82bf911eeda460ce1dd033344576480820 | |
| parent | fea01b6fd2b872543f58dc2e0659983978a92e70 (diff) | |
limit size of BNs to 8KB; ok provos/deraadt
| -rw-r--r-- | usr.bin/ssh/bufaux.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/usr.bin/ssh/bufaux.c b/usr.bin/ssh/bufaux.c index 6e8452f24db..5e8254e5606 100644 --- a/usr.bin/ssh/bufaux.c +++ b/usr.bin/ssh/bufaux.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.26 2002/06/23 09:46:51 deraadt Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $"); #include <openssl/bn.h> #include "bufaux.h" @@ -88,6 +88,8 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) bits = GET_16BIT(buf); /* Compute the number of binary bytes that follow. */ bytes = (bits + 7) / 8; + if (bytes > 8 * 1024) + fatal("buffer_get_bignum: cannot handle BN of size %d", bytes); if (buffer_len(buffer) < bytes) fatal("buffer_get_bignum: input buffer too small"); bin = buffer_ptr(buffer); @@ -129,13 +131,15 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value) xfree(buf); } +/* XXX does not handle negative BNs */ void buffer_get_bignum2(Buffer *buffer, BIGNUM *value) { - /**XXX should be two's-complement */ - int len; - u_char *bin = buffer_get_string(buffer, (u_int *)&len); + u_int len; + u_char *bin = buffer_get_string(buffer, &len); + if (len > 8 * 1024) + fatal("buffer_get_bignum2: cannot handle BN of size %d", len); BN_bin2bn(bin, len, value); xfree(bin); } |