CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().

No exploit known, but it is better to check the string length.
2026-02-04 12:20:42 +09:00 · 2011-11-25 23:02:06 -05:00
parent 2ee6282fdd
commit 8489521c0d
1 changed files with 4 additions and 0 deletions
--- a/src/dh.c
+++ b/src/dh.c
@@ -44,6 +44,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>

 #ifndef _WIN32
 #include <netinet/in.h>
@@ -194,6 +195,9 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
  char *hexa = NULL;
  size_t i;

+  if (len > (UINT_MAX - 1) / 3)
+    return NULL;
+
  hexa = malloc(len * 3 + 1);
  if (hexa == NULL) {
    return NULL;