A broken decrypt (or false packet) could cause an unreasonably large
block of memory to be allocated leading to indeterminate results. SSH-TRANS only requires implementations to handle about about 32k compressed length per packet. Allow 40k to be safe, but no more.
This commit is contained in:
		| @@ -122,6 +122,9 @@ | |||||||
| /* Maximum size to allow a payload to deccompress to, plays it safe by allowing more than spec requires */ | /* Maximum size to allow a payload to deccompress to, plays it safe by allowing more than spec requires */ | ||||||
| #define LIBSSH2_PACKET_MAXDECOMP	40000 | #define LIBSSH2_PACKET_MAXDECOMP	40000 | ||||||
|  |  | ||||||
|  | /* Maximum size for an inbound compressed payload, plays it safe by overshooting spec limits */ | ||||||
|  | #define LIBSSH2_PACKET_MAXPAYLOAD	40000 | ||||||
|  |  | ||||||
| /* Malloc callbacks */ | /* Malloc callbacks */ | ||||||
| #define LIBSSH2_ALLOC_FUNC(name)					void *name(size_t count, void **abstract) | #define LIBSSH2_ALLOC_FUNC(name)					void *name(size_t count, void **abstract) | ||||||
| #define LIBSSH2_REALLOC_FUNC(name)					void *name(void *ptr, size_t count, void **abstract) | #define LIBSSH2_REALLOC_FUNC(name)					void *name(void *ptr, size_t count, void **abstract) | ||||||
|   | |||||||
							
								
								
									
										10
									
								
								src/packet.c
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								src/packet.c
									
									
									
									
									
								
							| @@ -364,6 +364,16 @@ int libssh2_packet_read(LIBSSH2_SESSION *session, int should_block) | |||||||
| 		memcpy(tmp, block, 5); /* Use this for MAC later */ | 		memcpy(tmp, block, 5); /* Use this for MAC later */ | ||||||
|  |  | ||||||
| 		payload_len = packet_len - 1; /* padding_len(1) */ | 		payload_len = packet_len - 1; /* padding_len(1) */ | ||||||
|  | 		/* Sanity Check */ | ||||||
|  | 		if ((payload_len > LIBSSH2_PACKET_MAXPAYLOAD) || | ||||||
|  | 			((packet_len + 4) % blocksize)) { | ||||||
|  | 			/* If something goes horribly wrong during the decryption phase, just bailout and die gracefully */ | ||||||
|  | 			LIBSSH2_FREE(session, block); | ||||||
|  | 			session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; | ||||||
|  | 			libssh2_error(session, LIBSSH2_ERROR_PROTO, "Fatal protocol error, invalid payload size", 0); | ||||||
|  | 			return -1; | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 		s = payload = LIBSSH2_ALLOC(session, payload_len); | 		s = payload = LIBSSH2_ALLOC(session, payload_len); | ||||||
| 		memcpy(s, block + 5, blocksize - 5); | 		memcpy(s, block + 5, blocksize - 5); | ||||||
| 		s += blocksize - 5; | 		s += blocksize - 5; | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Sara Golemon
					Sara Golemon