agent: Fix length test in sshcontrol parser.
authorWerner Koch <wk@gnupg.org>
Sun, 15 Mar 2015 12:04:48 +0000 (13:04 +0100)
committerNIIBE Yutaka <gniibe@fsij.org>
Wed, 15 Apr 2015 07:07:08 +0000 (16:07 +0900)
commita838e8f806693e9403541f482b58b66c606e376b
treef41fe3e6e06da3ac14817e983a073414b38c7f26
parentb4ec909186d0150c835942754283ecc2bdf6e3e0
agent: Fix length test in sshcontrol parser.

* agent/command-ssh.c (ssh_search_control_file): Check S before
upcasing it.
--

In contradiction to the comment we did not check the length of HEXGRIP
and thus the GPG_ERR_INV_LENGTH was never triggered.

Detected by Stack 0.3:

  bug: anti-simplify
  model: |
    %cmp8 = icmp ne i32 %i.0, 40, !dbg !986
    -->  false
  stack:
    - /home/wk/s/gnupg/agent/command-ssh.c:1226:0
  ncore: 2
  core:
    - /home/wk/s/gnupg/agent/command-ssh.c:1225:0
      - buffer overflow
    - /home/wk/s/gnupg/agent/command-ssh.c:1225:0
      - buffer overflow

(backported from 2.1 commit 3529dd8bb5bafc4e02915648d5f409bd27a9cc37)
agent/command-ssh.c