- djm@cvs.openbsd.org 2014/02/27 00:41:49

     [bufbn.c]
     fix unsigned overflow that could lead to reading a short ssh protocol
     1 bignum value; found by Ben Hawkes; ok deraadt@

diff --git a/ChangeLog b/ChangeLog
index 7aa8a9f38e77823d7a3322a74dda7aceb8fcb135..416f4b58c95aa4058720e514ea1e2cdd1eb9cf20 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140228
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/27 00:41:49
+     [bufbn.c]
+     fix unsigned overflow that could lead to reading a short ssh protocol
+     1 bignum value; found by Ben Hawkes; ok deraadt@
+
 20140227
  - OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2014/02/26 20:18:37

diff --git a/bufbn.c b/bufbn.c
index c4ad810e45391b5b368cf3dab3acda061909cd36..40e8ed4d54e32798269cb8768a50cfc7ca64f6fd 100644 (file)
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufbn.c,v 1.9 2014/02/02 03:44:31 djm Exp $*/
+/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
                return (-1);
        }
        bits = get_u16(buf);
+       if (bits > 65536-7) {
+               error("buffer_get_bignum_ret: cannot handle BN of size %d",
+                   bits);
+               return (-1);
+       }
        /* Compute the number of binary bytes that follow. */
        bytes = (bits + 7) / 8;
        if (bytes > 8 * 1024) {