shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-12 11:10:28 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fix the security bug found by Orange Labs

Browse Source 
Verify the length of decrypt operation is a multiple of blocksize
This commit is contained in:
Aris Adamantiadis
2009-09-13 22:07:01 +02:00
committed by Andreas Schneider
parent 2f66b3be13
commit 9ef0837c80
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libssh/crypt.c
View File

@@ -60,7 +60,10 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){
int packet_decrypt(SSH_SESSION *session, void *data,u32 len) { int packet_decrypt(SSH_SESSION *session, void *data,u32 len) {
struct crypto_struct *crypto = session->current_crypto->in_cipher; struct crypto_struct *crypto = session->current_crypto->in_cipher;
char *out = NULL; char *out = NULL;
if(len % session->current_crypto->in_cipher->blocksize != 0){
ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
return SSH_ERROR;
}
out = malloc(len); out = malloc(len);
if (out == NULL) { if (out == NULL) {
return -1; return -1;
@@ -100,7 +103,10 @@ unsigned char *packet_encrypt(SSH_SESSION *session, void *data, u32 len) {
if (!session->current_crypto) { if (!session->current_crypto) {
return NULL; /* nothing to do here */ return NULL; /* nothing to do here */
} }
if(len % session->current_crypto->in_cipher->blocksize != 0){
ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
return NULL;
}
out = malloc(len); out = malloc(len);
if (out == NULL) { if (out == NULL) {
return NULL; return NULL;