From 717dc4839a39d4235793d152f39fd24e9be9d12b Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Sun, 18 Aug 2002 09:10:17 +0000
Subject: [PATCH] In SSH2, if decrypting the packet length gave us a negative
 value, subsequent packet-receiver code would fail to notice anything was
 wrong and segfault. Since this is clearly a silly packet length anyway, we
 now explicitly reject it as a daft encryption error.

git-svn-id: svn://svn.tartarus.org/sgt/putty@1852 cda61777-01e9-0310-a592-d414129be87e
---
 ssh.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ssh.c b/ssh.c
index 0edaf932..acc4598b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -885,6 +885,15 @@ static int ssh2_rdpkt(unsigned char **data, int *datalen)
     st->pad = pktin.data[4];
 
     /*
+     * _Completely_ silly lengths should be stomped on before they
+     * do us any more damage.
+     */
+    if (st->len < 0 || st->pad < 0 || st->len + st->pad < 0) {
+	bombout(("Incoming packet was garbled on decryption"));
+	crReturn(0);
+    }
+
+    /*
      * This enables us to deduce the payload length.
      */
     st->payload = st->len - st->pad - 1;
-- 
2.11.0