From efaebad323dd5a609f7383df8687c70a426a7d53 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 25 Nov 2011 23:02:06 -0500
Subject: CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().

No exploit known, but it is better to check the string length.
---
 src/dh.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/dh.c b/src/dh.c
index 0d46c59..997ae85 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -45,6 +45,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #ifndef _WIN32
 #include <netinet/in.h>
@@ -256,6 +257,10 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) {
   size_t i;
   size_t hlen = len * 3;
 
+  if (len > (UINT_MAX - 1) / 3) {
+    return NULL;
+  }
+
   hexa = malloc(hlen + 1);
   if (hexa == NULL) {
     return NULL;
-- 
cgit