Tighten up a lot of casts from unsigned to int which are read by one

[sgt/putty] / windows / winpgnt.c

diff --git a/windows/winpgnt.c b/windows/winpgnt.c
index e26621c..e018159 100644 (file)
--- a/windows/winpgnt.c
+++ b/windows/winpgnt.c
@@ -174,7 +174,7 @@ static void forget_passphrases(void)
 {
     while (count234(passphrases) > 0) {
        char *pp = index234(passphrases, 0);
-       memset(pp, 0, strlen(pp));
+       smemclr(pp, strlen(pp));
        delpos234(passphrases, 0);
        free(pp);
     }
@@ -450,7 +450,12 @@ static void add_keyfile(Filename *filename)
                           MB_OK | MB_ICONERROR);
                return;
            }
-           nkeys = GET_32BIT(keylist);
+           nkeys = toint(GET_32BIT(keylist));
+           if (nkeys < 0) {
+               MessageBox(NULL, "Received broken key list?!", APPNAME,
+                          MB_OK | MB_ICONERROR);
+               return;
+           }
            p = keylist + 4;
            keylistlen -= 4;
 
@@ -478,8 +483,8 @@ static void add_keyfile(Filename *filename)
                                   MB_OK | MB_ICONERROR);
                        return;
                    }
-                   n = 4 + GET_32BIT(p);
-                   if (keylistlen < n) {
+                   n = toint(4 + GET_32BIT(p));
+                   if (n < 0 || keylistlen < n) {
                        MessageBox(NULL, "Received broken key list?!", APPNAME,
                                   MB_OK | MB_ICONERROR);
                        return;
@@ -495,8 +500,8 @@ static void add_keyfile(Filename *filename)
                                   MB_OK | MB_ICONERROR);
                        return;
                    }
-                   n = 4 + GET_32BIT(p);
-                   if (keylistlen < n) {
+                   n = toint(4 + GET_32BIT(p));
+                   if (n < 0 || keylistlen < n) {
                        MessageBox(NULL, "Received broken key list?!", APPNAME,
                                   MB_OK | MB_ICONERROR);
                        return;
@@ -968,7 +973,7 @@ static void answer_msg(void *msg)
            MD5Init(&md5c);
            MD5Update(&md5c, response_source, 48);
            MD5Final(response_md5, &md5c);
-           memset(response_source, 0, 48);     /* burn the evidence */
+           smemclr(response_source, 48);       /* burn the evidence */
            freebn(response);          /* and that evidence */
            freebn(challenge);         /* yes, and that evidence */
            freebn(reqkey.exponent);   /* and free some memory ... */
@@ -998,17 +1003,17 @@ static void answer_msg(void *msg)
 
            if (msgend < p+4)
                goto failure;
-           b.len = GET_32BIT(p);
+           b.len = toint(GET_32BIT(p));
+            if (b.len < 0 || b.len > msgend - (p+4))
+                goto failure;
            p += 4;
-           if (msgend < p+b.len)
-               goto failure;
            b.blob = p;
            p += b.len;
            if (msgend < p+4)
                goto failure;
-           datalen = GET_32BIT(p);
+           datalen = toint(GET_32BIT(p));
            p += 4;
-           if (msgend < p+datalen)
+           if (datalen < 0 || datalen > msgend - p)
                goto failure;
            data = p;
            key = find234(ssh2keys, &b, cmpkeys_ssh2_asymm);
@@ -1081,9 +1086,9 @@ static void answer_msg(void *msg)
                sfree(key);
                goto failure;
            }
-            commentlen = GET_32BIT(p);
+            commentlen = toint(GET_32BIT(p));
 
-           if (msgend < p+commentlen) {
+           if (commentlen < 0 || commentlen > msgend - p) {
                freersakey(key);
                sfree(key);
                goto failure;
@@ -1120,9 +1125,9 @@ static void answer_msg(void *msg)
 
            if (msgend < p+4)
                goto failure;
-           alglen = GET_32BIT(p);
+           alglen = toint(GET_32BIT(p));
            p += 4;
-           if (msgend < p+alglen)
+           if (alglen < 0 || alglen > msgend - p)
                goto failure;
            alg = p;
            p += alglen;
@@ -1156,10 +1161,10 @@ static void answer_msg(void *msg)
                sfree(key);
                goto failure;
            }
-           commlen = GET_32BIT(p);
+           commlen = toint(GET_32BIT(p));
            p += 4;
 
-           if (msgend < p+commlen) {
+           if (commlen < 0 || commlen > msgend - p) {
                key->alg->freekey(key->data);
                sfree(key);
                goto failure;
@@ -1223,10 +1228,10 @@ static void answer_msg(void *msg)
 
            if (msgend < p+4)
                goto failure;
-           b.len = GET_32BIT(p);
+           b.len = toint(GET_32BIT(p));
            p += 4;
 
-           if (msgend < p+b.len)
+           if (b.len < 0 || b.len > msgend - p)
                goto failure;
            b.blob = p;
            p += b.len;
@@ -1938,8 +1943,10 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
                     }
 #endif
                    if (!EqualSid(mapowner, ourself) &&
-                        !EqualSid(mapowner, ourself2))
+                        !EqualSid(mapowner, ourself2)) {
+                        CloseHandle(filemap);
                        return 0;      /* security ID mismatch! */
+                    }
 #ifdef DEBUG_IPC
                    debug(("security stuff matched\n"));
 #endif