nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00
Code Issues Projects Releases Wiki Activity

Fix integer underflow in SSH-1 BPP.

Browse Source 
If the packet length field was in the range 0 <= x < 5, then it would
pass the initial range check, but underflow to something in the region
of 0xFFFFFFFF when the BPP code subtracted 5 from it, leading to an
overlarge memory allocation, and/or allocation failure, and perhaps
worse.
This commit is contained in:
Simon Tatham 2019-06-28 19:23:33 +01:00
parent 921613ff08
commit 0315370926
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssh1bpp.c
View File

@ -144,9 +144,9 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf)); s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
} }
if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */ if (s->len < 5 || s->len > 262144) { /* SSH1.5-mandated max size */
ssh_sw_abort(s->bpp.ssh, ssh_sw_abort(s->bpp.ssh,
"Extremely large packet length from remote suggests" "Out-of-range packet length from remote suggests"
" data stream corruption"); " data stream corruption");
crStopV; crStopV;
} }