[sshd] Guard against numerical overflow
Check the key length before adding; the addition might overflow. Change-Id: Icde7c92a5bb267fdd869d5a1c0842967ab1a7fd9 Signed-off-by: Thomas Wolf <twolf@apache.org>
This commit is contained in:
parent
e8d5914aa6
commit
cbf0d9a76c
|
@ -427,14 +427,14 @@ private static byte[] asn1Parse(byte[] encoded, int n) throws IOException {
|
|||
private static PublicKey readKey(Buffer buffer) throws BufferException {
|
||||
int endOfBuffer = buffer.wpos();
|
||||
int keyLength = buffer.getInt();
|
||||
int afterKey = buffer.rpos() + keyLength;
|
||||
if (keyLength <= 0 || afterKey > endOfBuffer) {
|
||||
if (keyLength <= 0 || keyLength > buffer.available()) {
|
||||
throw new BufferException(
|
||||
MessageFormat.format(SshdText.get().sshAgentWrongKeyLength,
|
||||
Integer.toString(keyLength),
|
||||
Integer.toString(buffer.rpos()),
|
||||
Integer.toString(endOfBuffer)));
|
||||
}
|
||||
int afterKey = buffer.rpos() + keyLength;
|
||||
// Limit subsequent reads to the public key blob
|
||||
buffer.wpos(afterKey);
|
||||
try {
|
||||
|
|
Loading…
Reference in New Issue