From d404ad71525a5cad91d030e20c5346470b20e46d Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 25 Nov 2011 23:00:13 -0500
Subject: [PATCH] channels: Fix integer overflow in generate_cookie().

Since the type of rnd[i] is signed char, (rnd[i] >> 4), which is
considered as arithmetic shift by gcc, could be negative, leading
to out-of-bounds read.
---
 src/channels.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/channels.c b/src/channels.c
index 709598f2..a4733809 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -1828,7 +1828,7 @@ int ssh_channel_request_sftp( ssh_channel channel){
 static ssh_string generate_cookie(void) {
   static const char *hex = "0123456789abcdef";
   char s[36];
-  char rnd[16];
+  unsigned char rnd[16];
   int i;
 
   ssh_get_random(rnd,sizeof(rnd),0);