- djm@cvs.openbsd.org 2014/02/27 08:25:09

[bufbn.c] off by one in range check
author: Damien Miller <djm@mindrot.org> 2014-02-28 10:00:57 +1100
committer: Damien Miller <djm@mindrot.org> 2014-02-28 10:00:57 +1100
commit: 172ec7e0af1a5f1d682f6a2dca335c6c186153d5 (patch)
tree: 452735f875db4829216b42f29d2cf1bf2a9b22ee
parent: f9a9aaba437c2787e40cf7cc928281950e161678 (diff)
download: openssh-git-172ec7e0af1a5f1d682f6a2dca335c6c186153d5.tar.gz
2 files changed, 5 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 416f4b58..f9196372 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
      [bufbn.c]
      fix unsigned overflow that could lead to reading a short ssh protocol
      1 bignum value; found by Ben Hawkes; ok deraadt@
+   - djm@cvs.openbsd.org 2014/02/27 08:25:09
+     [bufbn.c]
+     off by one in range check
 
 20140227
  - OpenBSD CVS Sync
diff --git a/bufbn.c b/bufbn.c
index 40e8ed4d..1d2e0126 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/
+/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -108,7 +108,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
 		return (-1);
 	}
 	bits = get_u16(buf);
-	if (bits > 65536-7) {
+	if (bits > 65535-7) {
 		error("buffer_get_bignum_ret: cannot handle BN of size %d",
 		    bits);
 		return (-1);
author	Damien Miller <djm@mindrot.org>	2014-02-28 10:00:57 +1100
committer	Damien Miller <djm@mindrot.org>	2014-02-28 10:00:57 +1100
commit	172ec7e0af1a5f1d682f6a2dca335c6c186153d5 (patch)
tree	452735f875db4829216b42f29d2cf1bf2a9b22ee
parent	f9a9aaba437c2787e40cf7cc928281950e161678 (diff)
download	openssh-git-172ec7e0af1a5f1d682f6a2dca335c6c186153d5.tar.gz