mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
Fix integer underflow in SSH-1 BPP.
If the packet length field was in the range 0 <= x < 5, then it would pass the initial range check, but underflow to something in the region of 0xFFFFFFFF when the BPP code subtracted 5 from it, leading to an overlarge memory allocation, and/or allocation failure, and perhaps worse.
This commit is contained in:
parent
921613ff08
commit
0315370926
@ -144,9 +144,9 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
|
|||||||
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
|
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */
|
if (s->len < 5 || s->len > 262144) { /* SSH1.5-mandated max size */
|
||||||
ssh_sw_abort(s->bpp.ssh,
|
ssh_sw_abort(s->bpp.ssh,
|
||||||
"Extremely large packet length from remote suggests"
|
"Out-of-range packet length from remote suggests"
|
||||||
" data stream corruption");
|
" data stream corruption");
|
||||||
crStopV;
|
crStopV;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user