mirror of
git://git.gnupg.org/gnupg.git
synced 2024-06-28 02:12:46 +02:00
agent: Fix length test in sshcontrol parser.
* agent/command-ssh.c (ssh_search_control_file): Check S before
upcasing it.
--
In contradiction to the comment we did not check the length of HEXGRIP
and thus the GPG_ERR_INV_LENGTH was never triggered.
Detected by Stack 0.3:
bug: anti-simplify
model: |
%cmp8 = icmp ne i32 %i.0, 40, !dbg !986
--> false
stack:
- /home/wk/s/gnupg/agent/command-ssh.c:1226:0
ncore: 2
core:
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
- /home/wk/s/gnupg/agent/command-ssh.c:1225:0
- buffer overflow
(backported from 2.1 commit 3529dd8bb5
)
This commit is contained in:
parent
b4ec909186
commit
a838e8f806
|
@ -1113,7 +1113,7 @@ ssh_search_control_file (ssh_control_file_t cf,
|
|||
/* We need to make sure that HEXGRIP is all uppercase. The easiest
|
||||
way to do this and also check its length is by copying to a
|
||||
second buffer. */
|
||||
for (i=0, s=hexgrip; i < 40; s++, i++)
|
||||
for (i=0, s=hexgrip; i < 40 && *s; s++, i++)
|
||||
uphexgrip[i] = *s >= 'a'? (*s & 0xdf): *s;
|
||||
uphexgrip[i] = 0;
|
||||
if (i != 40)
|
||||
|
|
Loading…
Reference in New Issue
Block a user