diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-07-14 07:31:44 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-07-14 07:33:30 +0200 |
| commit | 2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0 (patch) | |
| tree | d9c74c34a47cfe9db052fcc56b6274279df427b0 /scp.c | |
| parent | upstream: misplaced debug message (diff) | |
| download | openssh-2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0.tar.xz openssh-2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0.zip | |
upstream: add defence-in-depth checks for some unreachable integer
overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@
OpenBSD-Commit-ID: 52af085f4e7ef9f9d8423d8c1840a6a88bda90bd
Diffstat (limited to 'scp.c')
| -rw-r--r-- | scp.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.256 2023/03/31 05:56:36 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.257 2023/07/14 05:31:44 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -838,8 +838,13 @@ emit_expansion(const char *pattern, int brace_start, int brace_end, int sel_start, int sel_end, char ***patternsp, size_t *npatternsp) { char *cp; - int o = 0, tail_len = strlen(pattern + brace_end + 1); + size_t pattern_len; + int o = 0, tail_len; + if ((pattern_len = strlen(pattern)) == 0 || pattern_len >= INT_MAX) + return -1; + + tail_len = strlen(pattern + brace_end + 1); if ((cp = malloc(brace_start + (sel_end - sel_start) + tail_len + 1)) == NULL) return -1; |