1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-04 20:38:50 +01:00

agent: Fix length test in sshcontrol parser.

* agent/command-ssh.c (ssh_search_control_file): Check S before
upcasing it.
--

In contradiction to the comment we did not check the length of HEXGRIP
and thus the GPG_ERR_INV_LENGTH was never triggered.

Detected by Stack 0.3:

  bug: anti-simplify
  model: |
    %cmp8 = icmp ne i32 %i.0, 40, !dbg !986
    -->  false
  stack:
    - /home/wk/s/gnupg/agent/command-ssh.c:1226:0
  ncore: 2
  core:
    - /home/wk/s/gnupg/agent/command-ssh.c:1225:0
      - buffer overflow
    - /home/wk/s/gnupg/agent/command-ssh.c:1225:0
      - buffer overflow

(backported from 2.1 commit 3529dd8bb5)
This commit is contained in:
Werner Koch 2015-03-15 13:04:48 +01:00 committed by NIIBE Yutaka
parent b4ec909186
commit a838e8f806

View File

@ -1113,7 +1113,7 @@ ssh_search_control_file (ssh_control_file_t cf,
/* We need to make sure that HEXGRIP is all uppercase. The easiest /* We need to make sure that HEXGRIP is all uppercase. The easiest
way to do this and also check its length is by copying to a way to do this and also check its length is by copying to a
second buffer. */ second buffer. */
for (i=0, s=hexgrip; i < 40; s++, i++) for (i=0, s=hexgrip; i < 40 && *s; s++, i++)
uphexgrip[i] = *s >= 'a'? (*s & 0xdf): *s; uphexgrip[i] = *s >= 'a'? (*s & 0xdf): *s;
uphexgrip[i] = 0; uphexgrip[i] = 0;
if (i != 40) if (i != 40)