From ae0500e538e2fb821ef1ad8529aed7999acf7a19 Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 28 Aug 2004 16:51:26 +0000 Subject: [PATCH] More sensible error handling when we receive an SSH1 public key modulus of zero (!!), and also a robustness fix in ssh1_rdpkt which I happened to notice while debugging that. git-svn-id: svn://svn.tartarus.org/sgt/putty@4516 cda61777-01e9-0310-a592-d414129be87e --- ssh.c | 8 +++++++- sshrsa.c | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ssh.c b/ssh.c index 8ae552f3..3e051f91 100644 --- a/ssh.c +++ b/ssh.c @@ -827,6 +827,12 @@ static int ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen) st->biglen = st->len + st->pad; ssh->pktin.length = st->len - 5; + if (st->biglen < 0) { + bombout(("Extremely large packet length from server suggests" + " data stream corruption")); + crStop(0); + } + if (ssh->pktin.maxlen < st->biglen) { ssh->pktin.maxlen = st->biglen; ssh->pktin.data = sresize(ssh->pktin.data, st->biglen + APIEXTRA, @@ -2435,7 +2441,7 @@ static int do_ssh1_login(Ssh ssh, unsigned char *in, int inlen, int ispkt) if (!ssh1_pkt_getrsakey(ssh, &servkey, &s->keystr1) || !ssh1_pkt_getrsakey(ssh, &hostkey, &s->keystr2)) { - bombout(("SSH1 public key packet stopped before public keys")); + bombout(("Failed to read SSH1 public keys from public key packet")); crStop(0); } diff --git a/sshrsa.c b/sshrsa.c index e7fca008..f684c2af 100644 --- a/sshrsa.c +++ b/sshrsa.c @@ -54,7 +54,7 @@ int makekey(unsigned char *data, int len, struct RSAKey *result, } n = ssh1_read_bignum(p, len, result ? &result->modulus : NULL); - if (n < 0) return -1; + if (n < 0 || bignum_bitcount(result->modulus) == 0) return -1; if (result) result->bytes = n - 2; if (keystr) -- 2.11.0