From: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Mon, 16 Jun 2025 09:02:19 +0000 (+0000)
Subject: upstream: Fix overflow check in sshbuf_dup_string. It's already
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df3f903d616763a105570610a616dacf0f83438e;p=thirdparty%2Fopenssh-portable.git

upstream: Fix overflow check in sshbuf_dup_string. It's already

constrained by SSHBUF_SIZE_MAX, but still worth fixing the check.  Patch from
afonot via github PR#573, with & ok djm@

OpenBSD-Commit-ID: 438888498e66472fc6a48133196d6538d27bff18
---

diff --git a/sshbuf-misc.c b/sshbuf-misc.c
index adbf9903b..201279faf 100644
--- a/sshbuf-misc.c
+++ b/sshbuf-misc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf-misc.c,v 1.19 2025/05/21 06:43:48 djm Exp $	*/
+/*	$OpenBSD: sshbuf-misc.c,v 1.20 2025/06/16 09:02:19 dtucker Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -254,7 +254,7 @@ sshbuf_dup_string(struct sshbuf *buf)
 	size_t l = sshbuf_len(buf);
 	char *r;
 
-	if (s == NULL || l > SIZE_MAX)
+	if (s == NULL || l >= SIZE_MAX)
 		return NULL;
 	/* accept a nul only as the last character in the buffer */
 	if (l > 0 && (p = memchr(s, '\0', l)) != NULL) {