Skip to content
Snippets Groups Projects
Commit 3ce9b809 authored by Deucе's avatar Deucе :ok_hand_tone4:
Browse files

Another Coverity "fix"... 

This is kinda valid... I am reading a 32-bit integer from a socket,
then trying to loop that many times.  What Coverity didn't notice
though is that the loop will exit way before due to the buffer
being exhausted.

By ensuring that it's less than UINT32_MAX/4, I'm still not really
enforcing anything since with the 32-bit value for extcnt, and a
32-bit value for every string, there could only be strings before
it failed anyway, even with a 4GB buffer (which you couldn't do).
parent 900e04a0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 11 additions and 0 deletions
src/sftp/sftp_attr.c
+ 11
0
View file @ 3ce9b809
......@@ -321,6 +321,17 @@ sftp_getfattr(sftp_rx_pkt_t pkt)
if (ret->flags & SSH_FILEXFER_ATTR_EXTENDED) {
uint32_t extcnt = sftp_get32(pkt);
uint32_t ext;
/*
* This is to silence Coverity...
* Coverity knows extcnt is tainted, and
* so I "should" range-check it before using
* it to control loop iterations.
* This loop is actually controlled by the
* size of the buffer since sftp_getstring()
* will fail long before we reach extcnt if
* it has a maliciously high value.
*/
extcnt &= 0x3FFFFFFF;
for (ext = 0; ext < extcnt; ext++) {
sftp_str_t type = sftp_getstring(pkt);
if (type == NULL)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment