https://bugzilla.mindrot.org/show_bug.cgi?id=2566
--- Comment #2 from Torben <[email protected]> --- Hi Damien, This patch would prevent any integer overflows. But by promoting padlen to u_int you now open up for the possibility of having padlen > 255 (which do happen for the same values that would make the variable wrap in the first case). I'm not sure what consequences it has for the execution of the code following the extra padding computation. It is nonetheless illegal to have more than 255 bytes of padding according to RFC 4253 section 6. Checking if padlen + pad > 255 (instead of just pad > 255) would prevent this problem. Cheers, Torben -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
