From e1a64c924d81d580fb5b1b7fc2a2d549235e5a23 Mon Sep 17 00:00:00 2001
From: Eshan Kelkar <eshankelkar@galorithm.com>
Date: Tue, 14 May 2024 15:20:17 +0530
Subject: [PATCH] options.c: Add validation against negative rsa min size

The argument for RSA_MIN_SIZE ssh and sshbind option is of
(int *) type, and hence the caller can supply a pointer to a
location storing a negative value. The commit adds a check to
not allow minimum rsa key size to be set to a negative value.

Signed-off-by: Eshan Kelkar <eshankelkar@galorithm.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/options.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/options.c b/src/options.c
index 01c1650f..b402f50a 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1217,6 +1217,14 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                 return -1;
             } else {
                 int *x = (int *)value;
+
+                if (*x < 0) {
+                    ssh_set_error_invalid(session);
+                    return -1;
+                }
+
+                /* (*x == 0) is allowed as it is used to revert to default */
+
                 if (*x > 0 && *x < 768) {
                     ssh_set_error(session, SSH_REQUEST_DENIED,
                                   "The provided value (%d) for minimal RSA key "
@@ -2468,6 +2476,14 @@ ssh_bind_options_set(ssh_bind sshbind,
             return -1;
         } else {
             int *x = (int *)value;
+
+            if (*x < 0) {
+                ssh_set_error_invalid(sshbind);
+                return -1;
+            }
+
+            /* (*x == 0) is allowed as it is used to revert to default */
+
             if (*x > 0 && *x < 768) {
                 ssh_set_error(sshbind,
                               SSH_REQUEST_DENIED,