nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00
Code Issues Projects Releases Wiki Activity

Refuse to forward agent messages > AGENT_MAX_MSGLEN.

Browse Source 
Mostly so that we don't have to malloc contiguous space for them
inside PuTTY; since we've already got a handy constant saying how big
is too big, we might as well use it to sanity-check the contents of
our agent forwarding channels.
This commit is contained in:
Simon Tatham 2017-01-30 19:42:25 +00:00
parent e22120fea8
commit 1b2cc40244
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
ssh.c
View File

@ -10,6 +10,7 @@
#include <signal.h> #include <signal.h>
#include "putty.h" #include "putty.h"
#include "pageant.h" /* for AGENT_MAX_MSGLEN */
#include "tree234.h" #include "tree234.h"
#include "storage.h" #include "storage.h"
#include "ssh.h" #include "ssh.h"
@ -3857,6 +3858,8 @@ static void ssh_agentf_got_response(struct ssh_channel *c,
{ {
c->u.a.pending = NULL; c->u.a.pending = NULL;
assert(!(c->closes & CLOSES_SENT_EOF));
if (!reply) { if (!reply) {
/* The real agent didn't send any kind of reply at all for /* The real agent didn't send any kind of reply at all for
* some reason, so fake an SSH_AGENT_FAILURE. */ * some reason, so fake an SSH_AGENT_FAILURE. */
@ -3897,6 +3900,15 @@ static void ssh_agentf_try_forward(struct ssh_channel *c)
(c->ssh->version == 2 && c->v.v2.remwindow == 0)) (c->ssh->version == 2 && c->v.v2.remwindow == 0))
return; return;
if (c->closes & CLOSES_SENT_EOF) {
/*
* If we've already sent outgoing EOF, there's nothing we can
* do with incoming data except consume it and throw it away.
*/
bufchain_clear(&c->u.a.inbuffer);
return;
}
while (1) { while (1) {
/* /*
* Try to extract a complete message from the input buffer. * Try to extract a complete message from the input buffer.
@ -3907,6 +3919,21 @@ static void ssh_agentf_try_forward(struct ssh_channel *c)
bufchain_fetch(&c->u.a.inbuffer, msglen, 4); bufchain_fetch(&c->u.a.inbuffer, msglen, 4);
lengthfield = GET_32BIT(msglen); lengthfield = GET_32BIT(msglen);
if (lengthfield > AGENT_MAX_MSGLEN) {
/*
* If the remote has sent a message that's just _too_
* long, we should reject it in advance of seeing the rest
* of the incoming message, and also close the connection
* for good measure (which avoids us having to faff about
* with carefully ignoring just the right number of bytes
* from the overlong message).
*/
ssh_agentf_got_response(c, NULL, 0);
sshfwd_write_eof(c);
return;
}
if (lengthfield > datalen - 4) if (lengthfield > datalen - 4)
break; /* a whole message is not yet available */ break; /* a whole message is not yet available */