if (*datalen < 4)
return;
*length = GET_32BIT(*data);
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
}
#endif
- if (!p || memcmp(p, "ssh-dss", 7)) {
+ if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
sfree(dss);
return NULL;
}