A broken decrypt (or false packet) could cause an unreasonably large
block of memory to be allocated leading to indeterminate results. SSH-TRANS only requires implementations to handle about about 32k compressed length per packet. Allow 40k to be safe, but no more.
This commit is contained in:
parent
912e9ca713
commit
66f913e53a
@ -122,6 +122,9 @@
|
||||
/* Maximum size to allow a payload to deccompress to, plays it safe by allowing more than spec requires */
|
||||
#define LIBSSH2_PACKET_MAXDECOMP 40000
|
||||
|
||||
/* Maximum size for an inbound compressed payload, plays it safe by overshooting spec limits */
|
||||
#define LIBSSH2_PACKET_MAXPAYLOAD 40000
|
||||
|
||||
/* Malloc callbacks */
|
||||
#define LIBSSH2_ALLOC_FUNC(name) void *name(size_t count, void **abstract)
|
||||
#define LIBSSH2_REALLOC_FUNC(name) void *name(void *ptr, size_t count, void **abstract)
|
||||
|
10
src/packet.c
10
src/packet.c
@ -364,6 +364,16 @@ int libssh2_packet_read(LIBSSH2_SESSION *session, int should_block)
|
||||
memcpy(tmp, block, 5); /* Use this for MAC later */
|
||||
|
||||
payload_len = packet_len - 1; /* padding_len(1) */
|
||||
/* Sanity Check */
|
||||
if ((payload_len > LIBSSH2_PACKET_MAXPAYLOAD) ||
|
||||
((packet_len + 4) % blocksize)) {
|
||||
/* If something goes horribly wrong during the decryption phase, just bailout and die gracefully */
|
||||
LIBSSH2_FREE(session, block);
|
||||
session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
|
||||
libssh2_error(session, LIBSSH2_ERROR_PROTO, "Fatal protocol error, invalid payload size", 0);
|
||||
return -1;
|
||||
}
|
||||
|
||||
s = payload = LIBSSH2_ALLOC(session, payload_len);
|
||||
memcpy(s, block + 5, blocksize - 5);
|
||||
s += blocksize - 5;
|
||||
|
Loading…
Reference in New Issue
Block a user