From 453cf99357d1da9ec9b8270ddbf7b6167468efbc Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Sun, 23 Jun 2019 11:38:55 +0100 Subject: [PATCH] Fix minor server-triggered DoS in get_fxp_attrs. If a server sent a very large number as extended_count, and didn't actually send any extended attributes, we could loop around and around calling get_string, which would carefully not overrun any buffer or leak any memory, and we weren't paying attention to extended attributes anyway, but it would still pointlessly consume CPU. Now we bail as soon as the BinarySource flags an error. Current callers will then spot the error and complain that the packet was malformed. --- sftpcommon.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sftpcommon.c b/sftpcommon.c index 4912899b..43b65755 100644 --- a/sftpcommon.c +++ b/sftpcommon.c @@ -85,6 +85,12 @@ bool BinarySource_get_fxp_attrs(BinarySource *src, struct fxp_attrs *attrs) if (attrs->flags & SSH_FILEXFER_ATTR_EXTENDED) { unsigned long count = get_uint32(src); while (count--) { + if (get_err(src)) { + /* Truncated packet. Don't waste time looking for + * attributes that aren't there. Caller should spot + * the truncation. */ + break; + } /* * We should try to analyse these, if we ever find one * we recognise.