X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/9e296bfa1190f3bb2aa9ebce308386e31eaf0898..58070d221740f21df8c354ab653c49a184d37ebf:/ssh.c?ds=sidebyside

diff --git a/ssh.c b/ssh.c
index 000a7c5c..24391d38 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1267,7 +1267,8 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
      * _Completely_ silly lengths should be stomped on before they
      * do us any more damage.
      */
-    if (st->len < 0 || st->pad < 0 || st->len + st->pad < 0) {
+    if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
+	st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
 	bombout(("Incoming packet was garbled on decryption"));
 	ssh_free_packet(st->pktin);
 	crStop(NULL);
@@ -1652,8 +1653,6 @@ static unsigned char *ssh2_mpint_fmt(Bignum b, int *len)
     unsigned char *p;
     int i, n = (bignum_bitcount(b) + 7) / 8;
     p = snewn(n + 1, unsigned char);
-    if (!p)
-	fatalbox("out of memory");
     p[0] = 0;
     for (i = 1; i <= n; i++)
 	p[i] = bignum_byte(b, n - i);
@@ -2657,8 +2656,6 @@ static const char *connect_to_host(Ssh ssh, char *host, int port,
     const char *err;
 
     ssh->savedhost = snewn(1 + strlen(host), char);
-    if (!ssh->savedhost)
-	fatalbox("Out of memory");
     strcpy(ssh->savedhost, host);
 
     if (port < 0)
@@ -3011,8 +3008,6 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
     s->len = (hostkey.bytes > servkey.bytes ? hostkey.bytes : servkey.bytes);
 
     s->rsabuf = snewn(s->len, unsigned char);
-    if (!s->rsabuf)
-	fatalbox("Out of memory");
 
     /*
      * Verify the host key.
@@ -3024,8 +3019,6 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen,
 	int len = rsastr_len(&hostkey);
 	char fingerprint[100];
 	char *keystr = snewn(len, char);
-	if (!keystr)
-	    fatalbox("Out of memory");
 	rsastr_fmt(keystr, &hostkey);
 	rsa_fingerprint(fingerprint, sizeof(fingerprint), &hostkey);
 
@@ -5731,7 +5724,7 @@ static int do_ssh2_transport(Ssh ssh, void *vin, int inlen,
      * it would only confuse the layer above.
      */
     if (s->activated_authconn) {
-	crReturn(1);
+	crReturn(0);
     }
     s->activated_authconn = TRUE;
 
@@ -6357,7 +6350,7 @@ static void ssh2_msg_channel_open(Ssh ssh, struct Packet *pktin)
 	    }
 	}
     } else if (typelen == 22 &&
-	       !memcmp(type, "auth-agent@openssh.com", 3)) {
+	       !memcmp(type, "auth-agent@openssh.com", 22)) {
 	if (!ssh->agentfwd_enabled)
 	    error = "Agent forwarding is not enabled";
 	else {
@@ -8063,7 +8056,7 @@ static void ssh_reconfig(void *handle, Config *cfg)
 }
 
 /*
- * Called to send data down the Telnet connection.
+ * Called to send data down the SSH connection.
  */
 static int ssh_send(void *handle, char *buf, int len)
 {
@@ -8220,7 +8213,7 @@ static const struct telnet_special *ssh_get_specials(void *handle)
 }
 
 /*
- * Send Telnet special codes. TS_EOF is useful for `plink', so you
+ * Send special codes. TS_EOF is useful for `plink', so you
  * can send an EOF and collect resulting output (e.g. `plink
  * hostname sort').
  */