From a70fd6ed3b33d9e2c89fe35c96102c156d39f1f9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 30 Apr 2020 18:44:40 +0200 Subject: Better fix for integer overflow in SSH Credits to GHSL --- src/lib/protocols/ssh.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 849dbeed4..2b7e69aac 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -114,7 +114,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, goto invalid_payload; /* ssh.server_host_key_algorithms [None] */ len = ntohl(*(u_int32_t*)&packet->payload[offset]); - if (len > UINT32_MAX - 4 - offset) + if (len > UINT32_MAX - 8 - offset) goto invalid_payload; offset += 4 + len; @@ -132,7 +132,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, buf_out_len += len; buf[buf_out_len++] = ';'; } - if (len > UINT32_MAX - offset) + if (len > UINT32_MAX - 4 - offset) goto invalid_payload; offset += len; @@ -150,7 +150,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, buf_out_len += len; buf[buf_out_len++] = ';'; } - if (len > UINT32_MAX - offset) + if (len > UINT32_MAX - 4 - offset) goto invalid_payload; offset += len; @@ -168,7 +168,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, buf_out_len += len; buf[buf_out_len++] = ';'; } - if (len > UINT32_MAX - offset) + if (len > UINT32_MAX - 4 - offset) goto invalid_payload; offset += len; @@ -186,7 +186,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, buf_out_len += len; buf[buf_out_len++] = ';'; } - if (len > UINT32_MAX - offset) + if (len > UINT32_MAX - 4 - offset) goto invalid_payload; offset += len; @@ -203,7 +203,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); buf_out_len += len; } - if (len > UINT32_MAX - offset) + if (len > UINT32_MAX - 4 - offset) goto invalid_payload; offset += len; -- cgit v1.2.3