Bail out on a short kex packet.

2007-04-17 18:30:05 +00:00 · 2007-04-17 18:30:05 +00:00 · 4c6bfdd5b2
commit 4c6bfdd5b2
parent 5dd66e604f
1 changed files with 3 additions and 0 deletions
--- a/src/kex.c
+++ b/src/kex.c
@ -1190,6 +1190,9 @@ static int libssh2_kex_agree_methods(LIBSSH2_SESSION *session, unsigned char *da
 	session->burn_optimistic_kexinit = *(s++);
 	/* Next uint32 in packet is all zeros (reserved) */

+	if (data_len < (unsigned)(s - data))
+		return -1; /* short packet */
+
 	if (libssh2_kex_agree_kex_hostkey(session, kex, kex_len, hostkey, hostkey_len)) {
 		return -1;
 	}