A broken decrypt (or false packet) could cause an unreasonably large

block of memory to be allocated leading to indeterminate results.

SSH-TRANS only requires implementations to handle about about 32k
compressed length per packet.  Allow 40k to be safe, but no more.
This commit is contained in:
Sara Golemon 2004-12-18 07:14:51 +00:00
parent 912e9ca713
commit 66f913e53a
2 changed files with 15 additions and 2 deletions

View File

@ -122,6 +122,9 @@
/* Maximum size to allow a payload to deccompress to, plays it safe by allowing more than spec requires */
#define LIBSSH2_PACKET_MAXDECOMP 40000
/* Maximum size for an inbound compressed payload, plays it safe by overshooting spec limits */
#define LIBSSH2_PACKET_MAXPAYLOAD 40000
/* Malloc callbacks */
#define LIBSSH2_ALLOC_FUNC(name) void *name(size_t count, void **abstract)
#define LIBSSH2_REALLOC_FUNC(name) void *name(void *ptr, size_t count, void **abstract)

View File

@ -364,6 +364,16 @@ int libssh2_packet_read(LIBSSH2_SESSION *session, int should_block)
memcpy(tmp, block, 5); /* Use this for MAC later */
payload_len = packet_len - 1; /* padding_len(1) */
/* Sanity Check */
if ((payload_len > LIBSSH2_PACKET_MAXPAYLOAD) ||
((packet_len + 4) % blocksize)) {
/* If something goes horribly wrong during the decryption phase, just bailout and die gracefully */
LIBSSH2_FREE(session, block);
session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
libssh2_error(session, LIBSSH2_ERROR_PROTO, "Fatal protocol error, invalid payload size", 0);
return -1;
}
s = payload = LIBSSH2_ALLOC(session, payload_len);
memcpy(s, block + 5, blocksize - 5);
s += blocksize - 5;