On Sat, Sep 20, 2014 at 3:07 PM, Maxime Villard <m...@m00nbsd.net> wrote:
> Hi,
> I put here a bug among others:
>
> Index: ssh-ed25519.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-ed25519.c,v
> retrieving revision 1.4
> diff -u -r1.4 ssh-ed25519.c
> --- ssh-ed25519.c 24 Jun 2014 01:13:21 -0000 1.4
> +++ ssh-ed25519.c 29 Aug 2014 10:28:35 -0000
> @@ -125,8 +125,10 @@
> r = SSH_ERR_INVALID_FORMAT;
> goto out;
> }
> - if (datalen >= SIZE_MAX - len)
> - return SSH_ERR_INVALID_ARGUMENT;
> + if (datalen >= SIZE_MAX - len) {
> + r = SSH_ERR_INVALID_ARGUMENT;
> + goto out;
> + }
> smlen = len + datalen;
> mlen = smlen;
> if ((sm = malloc(smlen)) == NULL || (m = xmalloc(mlen)) == NULL) {
>
> Found by my code scanner.
>
> Maxime
>
applied. thanks.
