buffer: Calculate correctly the bignum size in buffer

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2026-02-06 18:29:50 +09:00 · 2025-01-03 15:39:07 +01:00
parent 4becc8eb82
commit dab51d8e20
1 changed files with 5 additions and 6 deletions
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -828,6 +828,7 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
    const char *p = NULL;
    ssh_string string = NULL;
    char *cstring = NULL;
+    bignum b = NULL;
    size_t needed_size = 0;
    size_t len;
    size_t count;
@@ -874,17 +875,15 @@ static int ssh_buffer_pack_allocate_va(struct ssh_buffer_struct *buffer,
            break;
        case 'F':
        case 'B':
-            va_arg(ap, bignum);
-            /*
-             * Use a fixed size for a bignum
-             * (they should normally be around 32)
-             */
+            b = va_arg(ap, bignum);
            if (*p == 'F') {
+                /* For padded bignum, we know the exact length */
                len = va_arg(ap, size_t);
                count++; /* increase argument count */
                needed_size += sizeof(uint32_t) + len;
            } else {
-                needed_size += 64;
+                /* The bignum bytes + 1 for possible padding */
+                needed_size += sizeof(uint32_t) + bignum_num_bytes(b) + 1;
            }
            break;
        case 't':