mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Fix integer underflow in SSH-1 BPP.
If the packet length field was in the range 0 <= x < 5, then it would pass the initial range check, but underflow to something in the region of 0xFFFFFFFF when the BPP code subtracted 5 from it, leading to an overlarge memory allocation, and/or allocation failure, and perhaps worse.
This commit is contained in:
parent
921613ff08
commit
0315370926
@ -144,9 +144,9 @@ static void ssh1_bpp_handle_input(BinaryPacketProtocol *bpp)
|
||||
s->len = toint(GET_32BIT_MSB_FIRST(lenbuf));
|
||||
}
|
||||
|
||||
if (s->len < 0 || s->len > 262144) { /* SSH1.5-mandated max size */
|
||||
if (s->len < 5 || s->len > 262144) { /* SSH1.5-mandated max size */
|
||||
ssh_sw_abort(s->bpp.ssh,
|
||||
"Extremely large packet length from remote suggests"
|
||||
"Out-of-range packet length from remote suggests"
|
||||
" data stream corruption");
|
||||
crStopV;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user