upstream: fix integer overflow in XMSS private key parsing.
Reported by Adam Zabrocki via SecuriTeam's SSH program. Note that this code is experimental and not compiled by default. ok markus@ OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
This commit is contained in:
parent
c2cc25480b
commit
a546b17bba
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sshkey-xmss.c,v 1.5 2019/06/28 13:35:04 deraadt Exp $ */
|
||||
/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2017 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
|
|||
goto out;
|
||||
}
|
||||
/* check that an appropriate amount of auth data is present */
|
||||
if (sshbuf_len(encoded) < encrypted_len + authlen) {
|
||||
if (sshbuf_len(encoded) < authlen ||
|
||||
sshbuf_len(encoded) - authlen < encrypted_len) {
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue