generic-library/ssh2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

_libssh2_packet_add: SSH_MSG_DEBUG length checks

Browse Source 
Verify lengths before using them. Read always_display from the correct
index. Don't copy stuff around just to provide zero-termination of the
strings.
This commit is contained in:
Daniel Stenberg 2010-11-09 15:07:32 +01:00
parent 075ff19574
commit 7ad152a6b2
1 changed files with 40 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
src/packet.c
View File

@ -480,6 +480,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
if (session->packAdd_state == libssh2_NB_state_allocated) { if (session->packAdd_state == libssh2_NB_state_allocated) {
/* A couple exceptions to the packet adding rule: */ /* A couple exceptions to the packet adding rule: */
switch (data[0]) { switch (data[0]) {
/*
byte SSH_MSG_DISCONNECT
uint32 reason code
string description in ISO-10646 UTF-8 encoding [RFC3629]
string language tag [RFC3066]
*/
case SSH_MSG_DISCONNECT: case SSH_MSG_DISCONNECT:
{ {
char *message=NULL; char *message=NULL;
@ -527,6 +535,11 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
} }
break; break;
/*
byte SSH_MSG_IGNORE
string data
*/
case SSH_MSG_IGNORE: case SSH_MSG_IGNORE:
if (datalen >= 2) { if (datalen >= 2) {
if (session->ssh_msg_ignore) { if (session->ssh_msg_ignore) {
@ -539,33 +552,37 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
session->packAdd_state = libssh2_NB_state_idle; session->packAdd_state = libssh2_NB_state_idle;
return 0; return 0;
/*
byte SSH_MSG_DEBUG
boolean always_display
string message in ISO-10646 UTF-8 encoding [RFC3629]
string language tag [RFC3066]
*/
case SSH_MSG_DEBUG: case SSH_MSG_DEBUG:
{ {
int always_display = data[0]; int always_display=0;
char *message, *language; char *message=NULL;
int message_len, language_len; char *language=NULL;
size_t message_len=0;
size_t language_len=0;
message_len = _libssh2_ntohu32(data + 2); if(datalen >= 2) {
/* 6 = packet_type(1) + display(1) + message_len(4) */ always_display = data[1];
message = (char *) data + 6;
language_len = _libssh2_ntohu32(data + 6 + message_len); if(datalen >= 6) {
/* message_len = _libssh2_ntohu32(data + 2);
* This is where we hack on the data a little,
* Use the MSB of language_len to to a terminating NULL if(message_len <= (datalen - 10)) {
* (In all liklihood it is already) /* 6 = packet_type(1) + display(1) + message_len(4) */
* Shift the language tag back a byte (In all likelihood message = (char *) data + 6;
* it's zero length anyway) language_len = _libssh2_ntohu32(data + 6 + message_len);
* Store a NULL in the last byte of the packet to terminate
* the language string if(language_len <= (datalen - 10 - message_len))
* With the lengths passed this isn't *REALLY* necessary, language = (char *) data + 10 + message_len;
* but it's "kind" }
*/ }
message[message_len] = '\0';
language = (char *) data + 6 + message_len + 3;
if (language_len) {
memmove(language, language + 1, language_len);
} }
language[language_len] = '\0';
if (session->ssh_msg_debug) { if (session->ssh_msg_debug) {
LIBSSH2_DEBUG(session, always_display, message, LIBSSH2_DEBUG(session, always_display, message,
@ -581,7 +598,6 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
session->packAdd_state = libssh2_NB_state_idle; session->packAdd_state = libssh2_NB_state_idle;
return 0; return 0;
} }
break;
case SSH_MSG_GLOBAL_REQUEST: case SSH_MSG_GLOBAL_REQUEST:
{ {