123 lines
4.1 KiB
Diff
123 lines
4.1 KiB
Diff
|
From 7656b1be8dc5425d5af03ffa6af711599fc07e80 Mon Sep 17 00:00:00 2001
|
||
|
From: Baruch Siach <baruch@tkos.co.il>
|
||
|
Date: Tue, 22 Jan 2019 08:16:50 +0200
|
||
|
Subject: [PATCH] buffer: Convert argc to size_t in ssh_buffer_unpack() as well
|
||
|
|
||
|
Commit c306a693f3fb ("buffer: Use size_t for argc argument in
|
||
|
ssh_buffer_(un)pack()") mentioned unpack in the commit log, but it only
|
||
|
touches the pack variants. Extend the conversion to unpack.
|
||
|
|
||
|
Pre-initialize the p pointer to avoid possible use before
|
||
|
initialization in case of early argc check failure.
|
||
|
|
||
|
This fixes build failure:
|
||
|
|
||
|
.../libssh-0.8.6/src/buffer.c: In function 'ssh_buffer_unpack_va':
|
||
|
.../libssh-0.8.6/src/buffer.c:1229:16: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow]
|
||
|
if (argc == -1){
|
||
|
^
|
||
|
|
||
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||
|
---
|
||
|
Upstream status: https://www.libssh.org/archive/libssh/2019-01/0000032.html
|
||
|
|
||
|
include/libssh/buffer.h | 4 ++--
|
||
|
src/buffer.c | 25 +++++++++++++------------
|
||
|
2 files changed, 15 insertions(+), 14 deletions(-)
|
||
|
|
||
|
diff --git a/include/libssh/buffer.h b/include/libssh/buffer.h
|
||
|
index 1c375343ee14..cd2dea6a7ecc 100644
|
||
|
--- a/include/libssh/buffer.h
|
||
|
+++ b/include/libssh/buffer.h
|
||
|
@@ -50,11 +50,11 @@ int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
|
||
|
_ssh_buffer_pack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)
|
||
|
|
||
|
int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
|
||
|
- const char *format, int argc,
|
||
|
+ const char *format, size_t argc,
|
||
|
va_list ap);
|
||
|
int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer,
|
||
|
const char *format,
|
||
|
- int argc,
|
||
|
+ size_t argc,
|
||
|
...);
|
||
|
#define ssh_buffer_unpack(buffer, format, ...) \
|
||
|
_ssh_buffer_unpack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)
|
||
|
diff --git a/src/buffer.c b/src/buffer.c
|
||
|
index 99863747fc3c..c8ad20f24e43 100644
|
||
|
--- a/src/buffer.c
|
||
|
+++ b/src/buffer.c
|
||
|
@@ -1082,11 +1082,11 @@ int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
|
||
|
*/
|
||
|
int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
|
||
|
const char *format,
|
||
|
- int argc,
|
||
|
+ size_t argc,
|
||
|
va_list ap)
|
||
|
{
|
||
|
int rc = SSH_ERROR;
|
||
|
- const char *p, *last;
|
||
|
+ const char *p = format, *last;
|
||
|
union {
|
||
|
uint8_t *byte;
|
||
|
uint16_t *word;
|
||
|
@@ -1098,16 +1098,21 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
|
||
|
} o;
|
||
|
size_t len, rlen, max_len;
|
||
|
va_list ap_copy;
|
||
|
- int count; /* int for size comparison with argc */
|
||
|
+ size_t count;
|
||
|
|
||
|
max_len = ssh_buffer_get_len(buffer);
|
||
|
|
||
|
/* copy the argument list in case a rollback is needed */
|
||
|
va_copy(ap_copy, ap);
|
||
|
|
||
|
- for (p = format, count = 0; *p != '\0'; p++, count++) {
|
||
|
+ if (argc > 256) {
|
||
|
+ rc = SSH_ERROR;
|
||
|
+ goto cleanup;
|
||
|
+ }
|
||
|
+
|
||
|
+ for (count = 0; *p != '\0'; p++, count++) {
|
||
|
/* Invalid number of arguments passed */
|
||
|
- if (argc != -1 && count > argc) {
|
||
|
+ if (count > argc) {
|
||
|
rc = SSH_ERROR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
@@ -1217,7 +1222,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- if (argc != -1 && argc != count) {
|
||
|
+ if (argc != count) {
|
||
|
rc = SSH_ERROR;
|
||
|
}
|
||
|
|
||
|
@@ -1226,11 +1231,7 @@ cleanup:
|
||
|
/* Check if our canary is intact, if not something really bad happened */
|
||
|
uint32_t canary = va_arg(ap, uint32_t);
|
||
|
if (canary != SSH_BUFFER_PACK_END){
|
||
|
- if (argc == -1){
|
||
|
- rc = SSH_ERROR;
|
||
|
- } else {
|
||
|
- abort();
|
||
|
- }
|
||
|
+ abort();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
@@ -1320,7 +1321,7 @@ cleanup:
|
||
|
*/
|
||
|
int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer,
|
||
|
const char *format,
|
||
|
- int argc,
|
||
|
+ size_t argc,
|
||
|
...)
|
||
|
{
|
||
|
va_list ap;
|
||
|
--
|
||
|
2.20.1
|
||
|
|