CVE-2012-4560: Fix a write one past the end of 'buf'.

2012-10-05 11:39:47 +02:00 · 2012-10-05 11:39:47 +02:00 · bd3acae4f3
--- a/src/misc.c
+++ b/src/misc.c
@ -723,7 +723,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
        if (*p != '%') {
            buf[i] = *p;
            i++;
-            if (i > MAX_BUF_SIZE) {
+            if (i >= MAX_BUF_SIZE) {
+                free(r);
                return NULL;
            }
            buf[i] = '\0';
@ -775,7 +776,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
        }

        i += strlen(x);
-        if (i > MAX_BUF_SIZE) {
+        if (i >= MAX_BUF_SIZE) {
            ssh_set_error(session, SSH_FATAL,
                    "String too long");
            free(x);