From cba1e4b5171a9ee902db283e21272984a6ddf79a Mon Sep 17 00:00:00 2001
From: ben <ben@cda61777-01e9-0310-a592-d414129be87e>
Date: Mon, 20 Jun 2005 13:56:30 +0000
Subject: [PATCH] Make the sanity-checks on the size of incoming packets much
 stricter.  We now enforce the following:

* Packet must have at least one byte of payload and four bytes of padding.
* Total packet length must not exceed 35000 bytes compressed.
* Total packet length including length field must be a multiple of cipher
  block size (or eight bytes).

The feebleness of our old checks was noticed by Ben Rudiak-Gould.


git-svn-id: svn://svn.tartarus.org/sgt/putty@5981 cda61777-01e9-0310-a592-d414129be87e
---
 ssh.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 66b316e5..55cecbd2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1267,7 +1267,8 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
      * _Completely_ silly lengths should be stomped on before they
      * do us any more damage.
      */
-    if (st->len < 0 || st->pad < 0 || st->len + st->pad < 0) {
+    if (st->len < 0 || st->len > 35000 || st->pad < 4 ||
+	st->len - st->pad < 1 || (st->len + 4) % st->cipherblk != 0) {
 	bombout(("Incoming packet was garbled on decryption"));
 	ssh_free_packet(st->pktin);
 	crStop(NULL);
-- 
2.11.0