projects
/
u
/
mdw
/
putty
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Make the sanity-checks on the size of incoming packets much stricter. We now
[u/mdw/putty]
/
ssh.c
diff --git
a/ssh.c
b/ssh.c
index
66b316e
..
55cecbd
100644
(file)
--- a/
ssh.c
+++ b/
ssh.c
@@
-1267,7
+1267,8
@@
static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
* _Completely_ silly lengths should be stomped on before they
* do us any more damage.
*/
* _Completely_ silly lengths should be stomped on before they
* do us any more damage.
*/
- if (st->len < 0 || st->pad < 0 || st->len + st->pad < 0) {
+ if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
+ st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
bombout(("Incoming packet was garbled on decryption"));
ssh_free_packet(st->pktin);
crStop(NULL);
bombout(("Incoming packet was garbled on decryption"));
ssh_free_packet(st->pktin);
crStop(NULL);