From 8344598910e96899c16011559f2e9f8f26c4d24d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <mail@cynapses.org>
Date: Thu, 3 Sep 2009 17:11:42 +0200
Subject: Fix an integer overflow in buffer_get_data().

Thanks to Orange Labs for the report.
---
 libssh/buffer.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'libssh/buffer.c')

diff --git a/libssh/buffer.c b/libssh/buffer.c
index d3d249e..2f450b5 100644
--- a/libssh/buffer.c
+++ b/libssh/buffer.c
@@ -339,8 +339,13 @@ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){
  * \returns len otherwise.
  */
 uint32_t buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len){
-    if(buffer->pos+len>buffer->used)
-        return 0;  /*no enough data in buffer */
+    /*
+     * Check for a integer overflow first, then check if not enough data is in
+     * the buffer.
+     */
+    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+      return 0;
+    }
     memcpy(data,buffer->data+buffer->pos,len);
     buffer->pos+=len;
     return len;   /* no yet support for partial reads (is it really needed ?? ) */
-- 
cgit