ssh formats: fix valid() and buffer in split() to avoid buffer overflow

Related to openwall#5157
AlekseyCherepanov · Jun 30, 2022 · f97a315 · f97a315
1 parent 0af4196
commit f97a315
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/ssh_common_plug.c b/src/ssh_common_plug.c
@@ -44,9 +44,11 @@ int ssh_valid(char *ciphertext, struct fmt_main *self)
 	if (!isdec(p))
 		goto err;
 	len = atoi(p);
+	if (len > N)
+		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL)	/* ciphertext */
 		goto err;
-	if (hexlen(p, &extra) / 2 != len || extra)
+	if (hexlen(p, &extra) != len * 2 || extra)
 		goto err;
 	if (cipher == 2 || cipher == 6) {
 		if ((p = strtokm(NULL, "$")) == NULL)	/* rounds */
@@ -83,7 +85,7 @@ int ssh_valid(char *ciphertext, struct fmt_main *self)
 
 char *ssh_split(char *ciphertext, int index, struct fmt_main *self)
 {
-	static char buf[sizeof(struct custom_salt)+100];
+	static char buf[sizeof(struct custom_salt) * 2 + 100];
 
 	if (strnlen(ciphertext, LINE_BUFFER_SIZE) < LINE_BUFFER_SIZE &&
 	    strstr(ciphertext, "$SOURCE_HASH$"))