X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/f11d78f2647ddf2f7c8f457fa4847da7193cda1b..f85e6f6edb2c9415bc10bd2015479d72ea8c5ae2:/ssh.c

diff --git a/ssh.c b/ssh.c
index 2b33bea3..23602f6d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -856,7 +856,7 @@ static int ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
     if (ssh->cipher)
 	ssh->cipher->decrypt(ssh->v1_cipher_ctx, ssh->pktin.data, st->biglen);
 
-    st->realcrc = crc32(ssh->pktin.data, st->biglen - 4);
+    st->realcrc = crc32_compute(ssh->pktin.data, st->biglen - 4);
     st->gotcrc = GET_32BIT(ssh->pktin.data + st->biglen - 4);
     if (st->gotcrc != st->realcrc) {
 	bombout(("Incorrect CRC received on packet"));
@@ -868,9 +868,12 @@ static int ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
     if (ssh->v1_compressing) {
 	unsigned char *decompblk;
 	int decomplen;
-	zlib_decompress_block(ssh->sc_comp_ctx,
-			      ssh->pktin.body - 1, ssh->pktin.length + 1,
-			      &decompblk, &decomplen);
+	if (!zlib_decompress_block(ssh->sc_comp_ctx,
+				   ssh->pktin.body - 1, ssh->pktin.length + 1,
+				   &decompblk, &decomplen)) {
+	    bombout(("Zlib decompression encountered invalid data"));
+	    crStop(0);
+	}
 
 	if (ssh->pktin.maxlen < st->pad + decomplen) {
 	    ssh->pktin.maxlen = st->pad + decomplen;
@@ -1244,7 +1247,7 @@ static int s_wrpkt_prepare(Ssh ssh)
 
     for (i = 0; i < pad; i++)
 	ssh->pktout.data[i + 4] = random_byte();
-    crc = crc32(ssh->pktout.data + 4, biglen - 4);
+    crc = crc32_compute(ssh->pktout.data + 4, biglen - 4);
     PUT_32BIT(ssh->pktout.data + biglen, crc);
     PUT_32BIT(ssh->pktout.data, len);
 
@@ -1777,7 +1780,8 @@ static void ssh_detect_bugs(Ssh ssh, char *vstring)
 	(ssh->cfg.sshbug_ignore1 == AUTO &&
 	 (!strcmp(imp, "1.2.18") || !strcmp(imp, "1.2.19") ||
 	  !strcmp(imp, "1.2.20") || !strcmp(imp, "1.2.21") ||
-	  !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25")))) {
+	  !strcmp(imp, "1.2.22") || !strcmp(imp, "Cisco-1.25") ||
+	  !strcmp(imp, "OSU_1.4alpha3")))) {
 	/*
 	 * These versions don't support SSH1_MSG_IGNORE, so we have
 	 * to use a different defence against password length
@@ -1789,7 +1793,7 @@ static void ssh_detect_bugs(Ssh ssh, char *vstring)
 
     if (ssh->cfg.sshbug_plainpw1 == FORCE_ON ||
 	(ssh->cfg.sshbug_plainpw1 == AUTO &&
-	 (!strcmp(imp, "Cisco-1.25")))) {
+	 (!strcmp(imp, "Cisco-1.25") || !strcmp(imp, "OSU_1.4alpha3")))) {
 	/*
 	 * These versions need a plain password sent; they can't
 	 * handle having a null and a random length of data after
@@ -1813,6 +1817,7 @@ static void ssh_detect_bugs(Ssh ssh, char *vstring)
 
     if (ssh->cfg.sshbug_hmac2 == FORCE_ON ||
 	(ssh->cfg.sshbug_hmac2 == AUTO &&
+	 !wc_match("* VShell", imp) &&
 	 (wc_match("2.1.0*", imp) || wc_match("2.0.*", imp) ||
 	  wc_match("2.2.0*", imp) || wc_match("2.3.0*", imp) ||
 	  wc_match("2.1 *", imp)))) {
@@ -1825,6 +1830,7 @@ static void ssh_detect_bugs(Ssh ssh, char *vstring)
 
     if (ssh->cfg.sshbug_derivekey2 == FORCE_ON ||
 	(ssh->cfg.sshbug_derivekey2 == AUTO &&
+	 !wc_match("* VShell", imp) &&
 	 (wc_match("2.0.0*", imp) || wc_match("2.0.10*", imp) ))) {
 	/*
 	 * These versions have the key-derivation bug (failing to
@@ -2147,8 +2153,10 @@ static const char *connect_to_host(Ssh ssh, char *host, int port,
      */
     logeventf(ssh, "Looking up host \"%s\"", host);
     addr = name_lookup(host, port, realhost, &ssh->cfg);
-    if ((err = sk_addr_error(addr)) != NULL)
+    if ((err = sk_addr_error(addr)) != NULL) {
+	sk_addr_free(addr);
 	return err;
+    }
 
     /*
      * Open socket.