From 87e97c019e7911c9268f4763681f1bdfd3f7b812 Mon Sep 17 00:00:00 2001 From: simon Date: Tue, 6 Jun 2000 10:54:41 +0000 Subject: [PATCH] Security fixes, copied from ssh.c: check string length versus packet length on incoming SSH_SMSG_*_DATA, and check CRCs on all incoming packets. git-svn-id: svn://svn.tartarus.org/sgt/putty@498 cda61777-01e9-0310-a592-d414129be87e --- scpssh.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/scpssh.c b/scpssh.c index 3d2c8240..5bc12cd0 100644 --- a/scpssh.c +++ b/scpssh.c @@ -93,6 +93,7 @@ static void get_packet(void) unsigned char buf[4]; int ret; int len, pad, biglen; + unsigned long realcrc, gotcrc; next_packet: @@ -145,6 +146,15 @@ next_packet: pktin.type = pktin.data[pad]; pktin.body = pktin.data + pad + 1; + realcrc = crc32(pktin.data, biglen-4); + gotcrc = (pktin.data[biglen-4] << 24); + gotcrc |= (pktin.data[biglen-3] << 16); + gotcrc |= (pktin.data[biglen-2] << 8); + gotcrc |= (pktin.data[biglen-1] << 0); + if (gotcrc != realcrc) { + fatalbox("Incorrect CRC received on packet"); + } + if (pktin.type == SSH_MSG_DEBUG) { if (verbose) { int len = GET_32BIT(pktin.body); @@ -425,7 +435,10 @@ int ssh_recv(unsigned char *buf, int len) return 0; if (pktin.type == SSH_SMSG_STDOUT_DATA) { int plen = GET_32BIT(pktin.body); - if (plen <= to_read) { + if (plen+4 != pktin.length) { + fprintf(stderr, "Received data packet with bogus string length" + ", ignoring\n"); + } else if (plen <= to_read) { memcpy(buf, pktin.body + 4, plen); buf += plen; to_read -= plen; @@ -437,7 +450,11 @@ int ssh_recv(unsigned char *buf, int len) } } else if (pktin.type == SSH_SMSG_STDERR_DATA) { int plen = GET_32BIT(pktin.body); - fwrite(pktin.body + 4, plen, 1, stderr); + if (plen+4 != pktin.length) { + fprintf(stderr, "Received data packet with bogus string length" + ", ignoring\n"); + } else + fwrite(pktin.body + 4, plen, 1, stderr); } else if (pktin.type == SSH_MSG_DISCONNECT) { } else if (pktin.type == SSH_SMSG_SUCCESS || pktin.type == SSH_SMSG_FAILURE) { -- 2.11.0