From e5f170bae209bfb97119830684330529e4f26f61 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 28 Oct 2009 15:27:11 +0100
Subject: [PATCH] Protect against crash on too small SSH_MSG_IGNORE packets.

Reported by Bob Alexander <balexander@expressor-software.com>
in <http://thread.gmane.org/gmane.network.ssh.libssh2.devel/2530>.
---
 src/packet.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/packet.c b/src/packet.c
index d16209c..9d5be61 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -533,11 +533,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
             break;
 
         case SSH_MSG_IGNORE:
-            /* As with disconnect, back it up one and add a trailing NULL */
-            memcpy(data + 4, data + 5, datalen - 5);
-            data[datalen] = '\0';
-            if (session->ssh_msg_ignore) {
-                LIBSSH2_IGNORE(session, (char *) data + 4, datalen - 5);
+            if (datalen >= 5) {
+                /* Back it up one and add a trailing NULL */
+                memmove(data, data + 1, datalen - 1);
+                data[datalen] = '\0';
+                if (session->ssh_msg_ignore) {
+                    LIBSSH2_IGNORE(session, (char *) data + 4, datalen - 1);
+                }
+            } else if (session->ssh_msg_ignore) {
+                LIBSSH2_IGNORE(session, "", 0);
             }
             LIBSSH2_FREE(session, data);
             session->packAdd_state = libssh2_NB_state_idle;