diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2017-03-14 00:25:04 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2017-03-14 00:25:04 +0000 |
| commit | 00626919c23a12434b1e92689c1518bcdbb019c3 (patch) | |
| tree | 621803929f5dec56162b68a288c95efbca575b8f /usr.bin | |
| parent | f0f156e564ccc292da6e65dbd9d2c49c21c614ad (diff) | |
Check for integer overflow when parsing times in convtime(). Reported by
nicolas.iooss at m4x.org, ok djm@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/misc.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index 704bcdcd377..ba9465718e5 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.107 2016/11/30 00:28:31 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.108 2017/03/14 00:25:03 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -289,7 +289,7 @@ a2tun(const char *s, int *remote) long convtime(const char *s) { - long total, secs; + long total, secs, multiplier = 1; const char *p; char *endp; @@ -316,23 +316,28 @@ convtime(const char *s) break; case 'm': case 'M': - secs *= MINUTES; + multiplier = MINUTES; break; case 'h': case 'H': - secs *= HOURS; + multiplier = HOURS; break; case 'd': case 'D': - secs *= DAYS; + multiplier = DAYS; break; case 'w': case 'W': - secs *= WEEKS; + multiplier = WEEKS; break; default: return -1; } + if (secs > LONG_MAX / multiplier) + return -1; + secs *= multiplier; + if (total > LONG_MAX - secs) + return -1; total += secs; if (total < 0) return -1; |