From dab51d8e203dc7cf7fe6a2e3c054320ce41e9a33 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 3 Jan 2025 15:39:07 +0100
Subject: [PATCH] buffer: Calculate correctly the bignum size in buffer

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
---
 src/buffer.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 579151c9..019d8b91 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -828,6 +828,7 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
     const char *p = NULL;
     ssh_string string = NULL;
     char *cstring = NULL;
+    bignum b = NULL;
     size_t needed_size = 0;
     size_t len;
     size_t count;
@@ -874,17 +875,15 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
             break;
         case 'F':
         case 'B':
-            va_arg(ap, bignum);
-            /*
-             * Use a fixed size for a bignum
-             * (they should normally be around 32)
-             */
+            b = va_arg(ap, bignum);
             if (*p == 'F') {
+                /* For padded bignum, we know the exact length */
                 len = va_arg(ap, size_t);
                 count++; /* increase argument count */
                 needed_size += sizeof(uint32_t) + len;
             } else {
-                needed_size += 64;
+                /* The bignum bytes + 1 for possible padding */
+                needed_size += sizeof(uint32_t) + bignum_num_bytes(b) + 1;
             }
             break;
         case 't':