diff options
| author | millert@openbsd.org <millert@openbsd.org> | 2017-04-27 13:53:12 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-04-28 05:26:36 +0200 |
| commit | 91bd2181866659f00714903e78e1c3edd4c45f3d (patch) | |
| tree | b6fe734af18bd400a140a94ed781a70af6404406 /scp.c | |
| parent | Fix typo in "socketcall". (diff) | |
| download | openssh-91bd2181866659f00714903e78e1c3edd4c45f3d.tar.xz openssh-91bd2181866659f00714903e78e1c3edd4c45f3d.zip | |
upstream commit
Avoid potential signed int overflow when parsing the file
size. Use strtoul() instead of parsing manually. OK djm@
Upstream-ID: 1f82640861c7d905bbb05e7d935d46b0419ced02
Diffstat (limited to 'scp.c')
| -rw-r--r-- | scp.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.187 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: scp.c,v 1.188 2017/04/27 11:53:12 millert Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -1043,10 +1043,15 @@ sink(int argc, char **argv) if (*cp++ != ' ') SCREWUP("mode not delimited"); - for (size = 0; isdigit((unsigned char)*cp);) - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') + if (!isdigit((unsigned char)*cp)) + SCREWUP("size not present"); + ull = strtoull(cp, &cp, 10); + if (!cp || *cp++ != ' ') SCREWUP("size not delimited"); + if ((off_t)ull < 0 || (unsigned long long)(off_t)ull != ull) + SCREWUP("size out of range"); + size = (off_t)ull; + if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { run_err("error: unexpected filename: %s", cp); exit(1); |