Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / e661a86353e11592c7ed6a847e19a83609f49e77^! / . / compat.c
commite661a86353e11592c7ed6a847e19a83609f49e77[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Mon May 04 06:10:48 2015 +0000
committerDamien Miller <djm@mindrot.org>Sun May 10 11:38:04 2015 +1000
tree5fe2c206d56dd4296a79e20ca6cfbbb83cb7c40c
parent0ef1de742be2ee4b10381193fe90730925b7f027 [diff] [blame]
upstream commit

Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

diff --git a/compat.c b/compat.c
index 7836a86..337bbe0 100644
--- a/compat.c
+++ b/compat.c

@@ -192,8 +192,7 @@
 
 	/* process table, return first match */
 	for (i = 0; check[i].pat; i++) {
-		if (match_pattern_list(version, check[i].pat,
-		    strlen(check[i].pat), 0) == 1) {
+		if (match_pattern_list(version, check[i].pat, 0) == 1) {
 			debug("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
 			datafellows = check[i].bugs;	/* XXX for now */
@@ -251,7 +250,7 @@
 	buffer_init(&b);
 	tmp = orig_prop = xstrdup(proposal);
 	while ((cp = strsep(&tmp, ",")) != NULL) {
-		if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
+		if (match_pattern_list(cp, filter, 0) != 1) {
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			buffer_append(&b, cp, strlen(cp));