shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 09:54:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2012-4560: Fix a write one past the end of 'buf'.

Browse Source
This commit is contained in:
Andreas Schneider
2012-10-05 11:39:47 +02:00
parent 64fca8a7ed
commit b485463197
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/misc.c
View File

@@ -719,7 +719,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
if (*p != '%') { if (*p != '%') {
buf[i] = *p; buf[i] = *p;
i++; i++;
if (i > MAX_BUF_SIZE) { if (i >= MAX_BUF_SIZE) {
free(r);
return NULL; return NULL;
} }
buf[i] = '\0'; buf[i] = '\0';
@@ -771,7 +772,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
} }
i += strlen(x); i += strlen(x);
if (i > MAX_BUF_SIZE) { if (i >= MAX_BUF_SIZE) {
ssh_set_error(session, SSH_FATAL, ssh_set_error(session, SSH_FATAL,
"String too long"); "String too long");
free(x); free(x);