Google Git
Sign in
gerrit/jgit/cbf0d9a76c4ebfed1d3f41aeb259b9f012dc97b5^!/.
commit
cbf0d9a76c4ebfed1d3f41aeb259b9f012dc97b5
[log]
author
Thomas Wolf <twolf@apache.org>
Sat Oct 01 20:44:59 2022 +0200
committer
Thomas Wolf <twolf@apache.org>
Sat Oct 01 20:45:34 2022 +0200
tree
a6c535445d0535395c4e02a0aad3ea8634d6b3d8
parent
e8d5914aa6582208b318bcba3375d0fcc4ad00a8 [diff]
[sshd] Guard against numerical overflow

Check the key length before adding; the addition might overflow.

Change-Id: Icde7c92a5bb267fdd869d5a1c0842967ab1a7fd9
Signed-off-by: Thomas Wolf <twolf@apache.org>
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/agent/SshAgentClient.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/agent/SshAgentClient.java
index cbcb4d2..4969414 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/agent/SshAgentClient.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/agent/SshAgentClient.java

@@ -427,14 +427,14 @@ private static void putEd25519Key(Buffer msg, KeyPair key)
 	private static PublicKey readKey(Buffer buffer) throws BufferException {
 		int endOfBuffer = buffer.wpos();
 		int keyLength = buffer.getInt();
-		int afterKey = buffer.rpos() + keyLength;
-		if (keyLength <= 0 || afterKey > endOfBuffer) {
+		if (keyLength <= 0 || keyLength > buffer.available()) {
 			throw new BufferException(
 					MessageFormat.format(SshdText.get().sshAgentWrongKeyLength,
 							Integer.toString(keyLength),
 							Integer.toString(buffer.rpos()),
 							Integer.toString(endOfBuffer)));
 		}
+		int afterKey = buffer.rpos() + keyLength;
 		// Limit subsequent reads to the public key blob
 		buffer.wpos(afterKey);
 		try {