From add2aa5f45af2d381a1638cdd0d5fcacc1fdd8f9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <mail@cynapses.org>
Date: Tue, 8 Sep 2009 11:36:06 +0200
Subject: [PATCH] Fix an integer overflow in buffer_get_data().

Thanks to Orange Labs for the report.
---
 libssh/buffer.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libssh/buffer.c b/libssh/buffer.c
index effc52c2..06859583 100644
--- a/libssh/buffer.c
+++ b/libssh/buffer.c
@@ -298,8 +298,13 @@ u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){
  * \returns len otherwise.
  */
 u32 buffer_get_data(struct buffer_struct *buffer, void *data, u32 len){
-    if(buffer->pos+len>buffer->used)
-        return 0;  /*no enough data in buffer */
+    /*
+     * Check for a integer overflow first, then check if not enough data is in
+     * the buffer.
+     */
+    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+      return 0;
+    }
     memcpy(data,buffer->data+buffer->pos,len);
     buffer->pos+=len;
     return len;   /* no yet support for partial reads (is it really needed ?? ) */