1 files changed, 15 insertions, 14 deletions

diff --git a/sshkey-xmss.c b/sshkey-xmss.c
index aaae7028928c..9e5f5e475658 100644
--- a/sshkey-xmss.c
+++ b/sshkey-xmss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey-xmss.c,v 1.3 2018/07/09 21:59:10 markus Exp $ */
+/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
 /*
  * Copyright (c) 2017 Markus Friedl.  All rights reserved.
  *
@@ -467,18 +467,18 @@ sshkey_xmss_get_state(const struct sshkey *k, sshkey_printfn *pr)
 	}
 	if ((filename = k->xmss_filename) == NULL)
 		goto done;
-	if (asprintf(&lockfile, "%s.lock", filename) < 0 ||
-	    asprintf(&statefile, "%s.state", filename) < 0 ||
-	    asprintf(&ostatefile, "%s.ostate", filename) < 0) {
+	if (asprintf(&lockfile, "%s.lock", filename) == -1 ||
+	    asprintf(&statefile, "%s.state", filename) == -1 ||
+	    asprintf(&ostatefile, "%s.ostate", filename) == -1) {
 		ret = SSH_ERR_ALLOC_FAIL;
 		goto done;
 	}
-	if ((lockfd = open(lockfile, O_CREAT|O_RDONLY, 0600)) < 0) {
+	if ((lockfd = open(lockfile, O_CREAT|O_RDONLY, 0600)) == -1) {
 		ret = SSH_ERR_SYSTEM_ERROR;
 		PRINT("%s: cannot open/create: %s", __func__, lockfile);
 		goto done;
 	}
-	while (flock(lockfd, LOCK_EX|LOCK_NB) < 0) {
+	while (flock(lockfd, LOCK_EX|LOCK_NB) == -1) {
 		if (errno != EWOULDBLOCK) {
 			ret = SSH_ERR_SYSTEM_ERROR;
 			PRINT("%s: cannot lock: %s", __func__, lockfile);
@@ -594,9 +594,9 @@ sshkey_xmss_update_state(const struct sshkey *k, sshkey_printfn *pr)
 	state->idx = idx;
 	if ((filename = k->xmss_filename) == NULL)
 		goto done;
-	if (asprintf(&statefile, "%s.state", filename) < 0 ||
-	    asprintf(&ostatefile, "%s.ostate", filename) < 0 ||
-	    asprintf(&nstatefile, "%s.nstate", filename) < 0) {
+	if (asprintf(&statefile, "%s.state", filename) == -1 ||
+	    asprintf(&ostatefile, "%s.ostate", filename) == -1 ||
+	    asprintf(&nstatefile, "%s.nstate", filename) == -1) {
 		ret = SSH_ERR_ALLOC_FAIL;
 		goto done;
 	}
@@ -613,7 +613,7 @@ sshkey_xmss_update_state(const struct sshkey *k, sshkey_printfn *pr)
 		PRINT("%s: ENCRYPT FAILED: %d", __func__, ret);
 		goto done;
 	}
-	if ((fd = open(nstatefile, O_CREAT|O_WRONLY|O_EXCL, 0600)) < 0) {
+	if ((fd = open(nstatefile, O_CREAT|O_WRONLY|O_EXCL, 0600)) == -1) {
 		ret = SSH_ERR_SYSTEM_ERROR;
 		PRINT("%s: open new state file: %s", __func__, nstatefile);
 		goto done;
@@ -632,13 +632,13 @@ sshkey_xmss_update_state(const struct sshkey *k, sshkey_printfn *pr)
 		close(fd);
 		goto done;
 	}
-	if (fsync(fd) < 0) {
+	if (fsync(fd) == -1) {
 		ret = SSH_ERR_SYSTEM_ERROR;
 		PRINT("%s: sync new state file: %s", __func__, nstatefile);
 		close(fd);
 		goto done;
 	}
-	if (close(fd) < 0) {
+	if (close(fd) == -1) {
 		ret = SSH_ERR_SYSTEM_ERROR;
 		PRINT("%s: close new state file: %s", __func__, nstatefile);
 		goto done;
@@ -652,7 +652,7 @@ sshkey_xmss_update_state(const struct sshkey *k, sshkey_printfn *pr)
 			goto done;
 		}
 	}
-	if (rename(nstatefile, statefile) < 0) {
+	if (rename(nstatefile, statefile) == -1) {
 		ret = SSH_ERR_SYSTEM_ERROR;
 		PRINT("%s: rename %s to %s", __func__, nstatefile, statefile);
 		goto done;
@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
 		goto out;
 	}
 	/* check that an appropriate amount of auth data is present */
-	if (sshbuf_len(encoded) < encrypted_len + authlen) {
+	if (sshbuf_len(encoded) < authlen ||
+	    sshbuf_len(encoded) - authlen < encrypted_len) {
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}