From a0e1c8b17281570580b4041f49eaddcba331f8f3 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Tue, 6 Jun 2000 08:57:55 +0000
Subject: [PATCH] Security improvement: check that string length field in
 SSH_SMSG_{STDOUT,STDERR}_DATA packets is consistent with length field in
 packet header. (Helps prevent insertion attack.)

git-svn-id: svn://svn.tartarus.org/sgt/putty@496 cda61777-01e9-0310-a592-d414129be87e
---
 ssh.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 295d0e68..ea2ae3c7 100644
--- a/ssh.c
+++ b/ssh.c
@@ -665,7 +665,11 @@ static void ssh_protocol(unsigned char *in, int inlen, int ispkt) {
 		long len = 0;
 		for (i = 0; i < 4; i++)
 		    len = (len << 8) + pktin.body[i];
-		c_write(pktin.body+4, len);
+		if (len+4 != pktin.length) {
+		    logevent("Received data packet with bogus string length"
+			     ", ignoring");
+		} else
+		    c_write(pktin.body+4, len);
 	    } else if (pktin.type == SSH_MSG_DISCONNECT) {
                 ssh_state = SSH_STATE_CLOSED;
 		logevent("Received disconnect request");
-- 
2.11.0