Fix an integer overflow in buffer_get_data().

Thanks to Orange Labs for the report.
2026-02-11 18:50:28 +09:00 · 2009-09-03 17:11:42 +02:00
parent 16870abed7
commit 8344598910
1 changed files with 7 additions and 2 deletions
--- a/libssh/buffer.c
+++ b/libssh/buffer.c
@@ -339,8 +339,13 @@ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){
 * \returns len otherwise.
 */
 uint32_t buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len){
-    if(buffer->pos+len>buffer->used)
+    /*
-        return 0;  /*no enough data in buffer */
+     * Check for a integer overflow first, then check if not enough data is in
     * the buffer.
     */
    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
      return 0;
    }
    memcpy(data,buffer->data+buffer->pos,len);
    buffer->pos+=len;
    return len;   /* no yet support for partial reads (is it really needed ?? ) */