From 2efc1721d85b0f434ffbec016ba3649f715868c2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Sun, 2 Sep 2018 14:06:54 +0200
Subject: [PATCH] string: Don't allow to allocate strings bigger than 256M

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit f48dcb26e3c53538a09b64854c320184aa8c2593)
---
 src/string.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/string.c b/src/string.c
index 8e6dfc4c..acd3cf48 100644
--- a/src/string.c
+++ b/src/string.c
@@ -34,6 +34,9 @@
 #include "libssh/priv.h"
 #include "libssh/string.h"
 
+/* String maximum size is 256M */
+#define STRING_SIZE_MAX 0x10000000
+
 /**
  * @defgroup libssh_string The SSH string functions
  * @ingroup libssh
@@ -54,7 +57,8 @@ struct ssh_string_struct *ssh_string_new(size_t size)
 {
     struct ssh_string_struct *str = NULL;
 
-    if (size > UINT_MAX - sizeof(struct ssh_string_struct)) {
+    if (size > STRING_SIZE_MAX) {
+        errno = EINVAL;
         return NULL;
     }
 
@@ -137,7 +141,7 @@ size_t ssh_string_len(struct ssh_string_struct *s) {
     }
 
     size = ntohl(s->size);
-    if (size > 0 && size < UINT_MAX) {
+    if (size > 0 && size <= STRING_SIZE_MAX) {
         return size;
     }