A broken decrypt (or false packet) could cause an unreasonably large
block of memory to be allocated leading to indeterminate results. SSH-TRANS only requires implementations to handle about about 32k compressed length per packet. Allow 40k to be safe, but no more.
This commit is contained in:
		| @@ -122,6 +122,9 @@ | ||||
| /* Maximum size to allow a payload to deccompress to, plays it safe by allowing more than spec requires */ | ||||
| #define LIBSSH2_PACKET_MAXDECOMP	40000 | ||||
|  | ||||
| /* Maximum size for an inbound compressed payload, plays it safe by overshooting spec limits */ | ||||
| #define LIBSSH2_PACKET_MAXPAYLOAD	40000 | ||||
|  | ||||
| /* Malloc callbacks */ | ||||
| #define LIBSSH2_ALLOC_FUNC(name)					void *name(size_t count, void **abstract) | ||||
| #define LIBSSH2_REALLOC_FUNC(name)					void *name(void *ptr, size_t count, void **abstract) | ||||
|   | ||||
							
								
								
									
										10
									
								
								src/packet.c
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								src/packet.c
									
									
									
									
									
								
							| @@ -364,6 +364,16 @@ int libssh2_packet_read(LIBSSH2_SESSION *session, int should_block) | ||||
| 		memcpy(tmp, block, 5); /* Use this for MAC later */ | ||||
|  | ||||
| 		payload_len = packet_len - 1; /* padding_len(1) */ | ||||
| 		/* Sanity Check */ | ||||
| 		if ((payload_len > LIBSSH2_PACKET_MAXPAYLOAD) || | ||||
| 			((packet_len + 4) % blocksize)) { | ||||
| 			/* If something goes horribly wrong during the decryption phase, just bailout and die gracefully */ | ||||
| 			LIBSSH2_FREE(session, block); | ||||
| 			session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; | ||||
| 			libssh2_error(session, LIBSSH2_ERROR_PROTO, "Fatal protocol error, invalid payload size", 0); | ||||
| 			return -1; | ||||
| 		} | ||||
|  | ||||
| 		s = payload = LIBSSH2_ALLOC(session, payload_len); | ||||
| 		memcpy(s, block + 5, blocksize - 5); | ||||
| 		s += blocksize - 5; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Sara Golemon
					Sara Golemon