From 3ad559cc231bf6afb1eeb333a854a64c50400e2c Mon Sep 17 00:00:00 2001
From: milo <milo.sshiva@gmail.com>
Date: Fri, 7 Aug 2009 12:13:29 +0200
Subject: Fix buffer overflow in generate_cookie()

Signed-off-by: Andreas Schneider <mail@cynapses.org>
---
 libssh/channels.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'libssh/channels.c')

diff --git a/libssh/channels.c b/libssh/channels.c
index ad679ce..84a222e 100644
--- a/libssh/channels.c
+++ b/libssh/channels.c
@@ -1257,8 +1257,9 @@ int channel_request_sftp( ssh_channel channel){
     return channel_request_subsystem(channel, "sftp");
 }
 
-static void generate_cookie(char *s) {
+static ssh_string generate_cookie(void) {
   static const char *hex = "0123456789abcdef";
+  char s[36];
   int i;
 
   srand ((unsigned int)time(NULL));
@@ -1266,6 +1267,7 @@ static void generate_cookie(char *s) {
     s[i] = hex[rand() % 16];
   }
   s[32] = '\0';
+  return string_from_char(s);
 }
 
 /**
@@ -1296,7 +1298,6 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char *
   ssh_buffer buffer = NULL;
   ssh_string p = NULL;
   ssh_string c = NULL;
-  char s[32];
   int rc = SSH_ERROR;
 
   buffer = buffer_new();
@@ -1312,8 +1313,7 @@ int channel_request_x11(ssh_channel channel, int single_connection, const char *
   if (cookie) {
     c = string_from_char(cookie);
   } else {
-    generate_cookie(s);
-    c = string_from_char(s);
+    c = generate_cookie();
   }
   if (c == NULL) {
     goto error;
-- 
cgit