string: Improve ssh_string_len() to avoid tainted variables

CID: #1278978 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2015-05-04 16:32:05 +02:00 · 2015-05-04 16:32:05 +02:00 · 83d3ee7fdb
--- a/src/string.c
+++ b/src/string.c
@ -129,11 +129,18 @@ struct ssh_string_struct *ssh_string_from_char(const char *what) {
 * @return The size of the content of the string, 0 on error.
 */
 size_t ssh_string_len(struct ssh_string_struct *s) {
-  if (s == NULL) {
-    return ntohl(0);
-  }
+    size_t size;

-  return ntohl(s->size);
+    if (s == NULL) {
+        return 0;
+    }
+
+    size = ntohl(s->size);
+    if (size > 0 && size < UINT_MAX) {
+        return size;
+    }
+
+    return 0;
 }

 /**