diff options
author | Damien Miller <djm@mindrot.org> | 2014-02-28 10:00:57 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-02-28 10:00:57 +1100 |
commit | 172ec7e0af1a5f1d682f6a2dca335c6c186153d5 (patch) | |
tree | 452735f875db4829216b42f29d2cf1bf2a9b22ee | |
parent | f9a9aaba437c2787e40cf7cc928281950e161678 (diff) | |
download | openssh-git-172ec7e0af1a5f1d682f6a2dca335c6c186153d5.tar.gz |
- djm@cvs.openbsd.org 2014/02/27 08:25:09
[bufbn.c]
off by one in range check
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | bufbn.c | 4 |
2 files changed, 5 insertions, 2 deletions
@@ -4,6 +4,9 @@ [bufbn.c] fix unsigned overflow that could lead to reading a short ssh protocol 1 bignum value; found by Ben Hawkes; ok deraadt@ + - djm@cvs.openbsd.org 2014/02/27 08:25:09 + [bufbn.c] + off by one in range check 20140227 - OpenBSD CVS Sync @@ -1,4 +1,4 @@ -/* $OpenBSD: bufbn.c,v 1.10 2014/02/27 00:41:49 djm Exp $*/ +/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -108,7 +108,7 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value) return (-1); } bits = get_u16(buf); - if (bits > 65536-7) { + if (bits > 65535-7) { error("buffer_get_bignum_ret: cannot handle BN of size %d", bits); return (-1); |