Merge pull request #90 from JacobBarthelmeh/fuzz

ejohnstown · web-flow · commit 1a0be6492fb6 · 2018-08-14T10:38:37.000-07:00
fix for possible overflow with sanity check
diff --git a/src/internal.c b/src/internal.c
@@ -2204,7 +2204,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
         begin = *idx;
         pubKey = buf + begin;
         ret = GetUint32(&pubKeySz, buf, len, &begin);
-        if (ret == WS_SUCCESS && (pubKeySz + LENGTH_SZ + begin > len)) {
+        if (ret == WS_SUCCESS && (pubKeySz > len - LENGTH_SZ - begin )) {
             ret = WS_BUFFER_E;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -2204,7 +2204,7 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)`
`2204`	`2204`	`begin = *idx;`
`2205`	`2205`	`pubKey = buf + begin;`
`2206`	`2206`	`ret = GetUint32(&pubKeySz, buf, len, &begin);`
`2207`		`- if (ret == WS_SUCCESS && (pubKeySz + LENGTH_SZ + begin > len)) {`
	`2207`	`+ if (ret == WS_SUCCESS && (pubKeySz > len - LENGTH_SZ - begin )) {`
`2208`	`2208`	`ret = WS_BUFFER_E;`
`2209`	`2209`	`}`
`2210`	`2210`