From 031537092643956d4e1dd7b061fe920086fff7b7 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Fri, 28 Jun 2019 19:23:33 +0100
Subject: [PATCH] Fix integer underflow in SSH-1 BPP.

If the packet length field was in the range 0 <= x < 5, then it would
pass the initial range check, but underflow to something in the region
of 0xFFFFFFFF when the BPP code subtracted 5 from it, leading to an
overlarge memory allocation, and/or allocation failure, and perhaps
worse.
---
 ssh1bpp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssh1bpp.c b/ssh1bpp.c
index f11e58cb..381da1e3 100644
--- a/ssh1bpp.c
+++ b/ssh1bpp.c
@@ -144,9 +144,9 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
             s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
         }
 
-        if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */
+        if (s->len < 5 || s->len > 262144) { /* SSH1.5-mandated max size */
             ssh_sw_abort(s->bpp.ssh,
-                         "Extremely large packet length from remote suggests"
+                         "Out-of-range packet length from remote suggests"
                          " data stream corruption");
             crStopV;
         }