Fix minor server-triggered DoS in get_fxp_attrs.

If a server sent a very large number as extended_count, and didn't actually send any extended attributes, we could loop around and around calling get_string, which would carefully not overrun any buffer or leak any memory, and we weren't paying attention to extended attributes anyway, but it would still pointlessly consume CPU. Now we bail as soon as the BinarySource flags an error. Current callers will then spot the error and complain that the packet was malformed.
2025-01-09 17:38:00 +00:00 · 2019-06-23 11:38:55 +01:00 · 2019-06-23 11:38:55 +01:00 · 453cf99357
commit 453cf99357
parent 81609be052
1 changed files with 6 additions and 0 deletions
--- a/sftpcommon.c
+++ b/sftpcommon.c
@ -85,6 +85,12 @@ bool BinarySource_get_fxp_attrs(BinarySource *src, struct fxp_attrs *attrs)
    if (attrs->flags & SSH_FILEXFER_ATTR_EXTENDED) {
 	unsigned long count = get_uint32(src);
 	while (count--) {
+	    if (get_err(src)) {
+		/* Truncated packet. Don't waste time looking for
+		 * attributes that aren't there. Caller should spot
+		 * the truncation. */
+		break;
+	    }
 	    /*
 	     * We should try to analyse these, if we ever find one
 	     * we recognise.