projects
/
u
/
mdw
/
putty
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
In SSH2, if decrypting the packet length gave us a negative value,
[u/mdw/putty]
/
ssh.c
diff --git
a/ssh.c
b/ssh.c
index
0edaf93
..
acc4598
100644
(file)
--- a/
ssh.c
+++ b/
ssh.c
@@
-885,6
+885,15
@@
static int ssh2_rdpkt(unsigned char **data, int *datalen)
st->pad = pktin.data[4];
/*
st->pad = pktin.data[4];
/*
+ * _Completely_ silly lengths should be stomped on before they
+ * do us any more damage.
+ */
+ if (st->len < 0 || st->pad < 0 || st->len + st->pad < 0) {
+ bombout(("Incoming packet was garbled on decryption"));
+ crReturn(0);
+ }
+
+ /*
* This enables us to deduce the payload length.
*/
st->payload = st->len - st->pad - 1;
* This enables us to deduce the payload length.
*/
st->payload = st->len - st->pad - 1;