1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Fix integer underflow in SSH-1 BPP.

If the packet length field was in the range 0 <= x < 5, then it would
pass the initial range check, but underflow to something in the region
of 0xFFFFFFFF when the BPP code subtracted 5 from it, leading to an
overlarge memory allocation, and/or allocation failure, and perhaps
worse.
This commit is contained in:
Simon Tatham 2019-06-28 19:23:33 +01:00
parent 921613ff08
commit 0315370926

View File

@ -144,9 +144,9 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf)); s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
} }
if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */ if (s->len < 5 || s->len > 262144) { /* SSH1.5-mandated max size */
ssh_sw_abort(s->bpp.ssh, ssh_sw_abort(s->bpp.ssh,
"Extremely large packet length from remote suggests" "Out-of-range packet length from remote suggests"
" data stream corruption"); " data stream corruption");
crStopV; crStopV;
} }