summaryrefslogtreecommitdiff
path: root/lib/ssh.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-08-14 23:33:23 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-08-14 23:33:41 +0200
commitff50fe0348466cae1a9f9f759b362c03f7060c34 (patch)
tree6a5a6efbe7bd7b00e49982e09a5da8f8341de28c /lib/ssh.c
parentb53b4e44241415c0a7ad857c72ec323109d2a7c0 (diff)
downloadcurl-ff50fe0348466cae1a9f9f759b362c03f7060c34.tar.gz
strtoofft: reduce integer overflow risks globally
... make sure we bail out on overflows. Reported-by: Brian Carpenter Closes #1758
Diffstat (limited to 'lib/ssh.c')
-rw-r--r--lib/ssh.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/lib/ssh.c b/lib/ssh.c
index 9443e24b9..cc5178fe7 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -2233,18 +2233,25 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
curl_off_t from, to;
char *ptr;
char *ptr2;
+ CURLofft to_t;
+ CURLofft from_t;
- from=curlx_strtoofft(conn->data->state.range, &ptr, 0);
+ from_t = curlx_strtoofft(conn->data->state.range, &ptr, 0, &from);
+ if(from_t == CURL_OFFT_FLOW)
+ return CURLE_RANGE_ERROR;
while(*ptr && (ISSPACE(*ptr) || (*ptr=='-')))
ptr++;
- to=curlx_strtoofft(ptr, &ptr2, 0);
- if((ptr == ptr2) /* no "to" value given */
+ to_t = curlx_strtoofft(ptr, &ptr2, 0, &to);
+ if(to_t == CURL_OFFT_FLOW)
+ return CURLE_RANGE_ERROR;
+ if((to_t == CURL_OFFT_INVAL) /* no "to" value given */
|| (to >= size)) {
to = size - 1;
}
- if(from < 0) {
+ if(from_t) {
/* from is relative to end of file */
- from += size;
+ from = size - to;
+ to = size - 1;
}
if(from > size) {
failf(data, "Offset (%"