From: millert <millert@openbsd.org>
Date: Thu, 27 Apr 2017 11:53:12 +0000 (+0000)
Subject: Avoid potential signed int overflow when parsing the file size.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f3b3b7c7ca9a921db3a5650eed40f2b2e4d731d8;p=openbsd

Avoid potential signed int overflow when parsing the file size.
Use strtoul() instead of parsing manually.  OK djm@
---

diff --git a/usr.bin/ssh/scp.c b/usr.bin/ssh/scp.c
index 1674714b1d6..dcf68372544 100644
--- a/usr.bin/ssh/scp.c
+++ b/usr.bin/ssh/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.187 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: scp.c,v 1.188 2017/04/27 11:53:12 millert Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -1022,10 +1022,15 @@ sink(int argc, char **argv)
 		if (*cp++ != ' ')
 			SCREWUP("mode not delimited");
 
-		for (size = 0; isdigit((unsigned char)*cp);)
-			size = size * 10 + (*cp++ - '0');
-		if (*cp++ != ' ')
+		if (!isdigit((unsigned char)*cp))
+			SCREWUP("size not present");
+		ull = strtoull(cp, &cp, 10);
+		if (!cp || *cp++ != ' ')
 			SCREWUP("size not delimited");
+		if ((off_t)ull < 0 || (unsigned long long)(off_t)ull != ull)
+			SCREWUP("size out of range");
+		size = (off_t)ull;
+
 		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);