mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 01:02:24 +00:00
Additional robustness to SFTP packet parsing and memory allocation.
[originally from svn r5358]
This commit is contained in:
Simon Tatham
parent
3c44ce243f
commit
893d187b81
19
misc.c
19
misc.c
@ -5,6 +5,7 @@
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
|
#include <limits.h>
|
||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#include "putty.h"
|
#include "putty.h"
|
||||||
@ -388,14 +389,21 @@ void mlog(char *file, int line)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void *safemalloc(size_t size)
|
void *safemalloc(size_t n, size_t size)
|
||||||
{
|
{
|
||||||
void *p;
|
void *p;
|
||||||
|
|
||||||
|
if (n > INT_MAX / size) {
|
||||||
|
p = NULL;
|
||||||
|
} else {
|
||||||
|
size *= n;
|
||||||
#ifdef MINEFIELD
|
#ifdef MINEFIELD
|
||||||
p = minefield_c_malloc(size);
|
p = minefield_c_malloc(size);
|
||||||
#else
|
#else
|
||||||
p = malloc(size);
|
p = malloc(size);
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
if (!p) {
|
if (!p) {
|
||||||
char str[200];
|
char str[200];
|
||||||
#ifdef MALLOC_LOG
|
#ifdef MALLOC_LOG
|
||||||
@ -415,9 +423,14 @@ void *safemalloc(size_t size)
|
|||||||
return p;
|
return p;
|
||||||
}
|
}
|
||||||
|
|
||||||
void *saferealloc(void *ptr, size_t size)
|
void *saferealloc(void *ptr, size_t n, size_t size)
|
||||||
{
|
{
|
||||||
void *p;
|
void *p;
|
||||||
|
|
||||||
|
if (n > INT_MAX / size) {
|
||||||
|
p = NULL;
|
||||||
|
} else {
|
||||||
|
size *= n;
|
||||||
if (!ptr) {
|
if (!ptr) {
|
||||||
#ifdef MINEFIELD
|
#ifdef MINEFIELD
|
||||||
p = minefield_c_malloc(size);
|
p = minefield_c_malloc(size);
|
||||||
@ -431,6 +444,8 @@ void *saferealloc(void *ptr, size_t size)
|
|||||||
p = realloc(ptr, size);
|
p = realloc(ptr, size);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!p) {
|
if (!p) {
|
||||||
char str[200];
|
char str[200];
|
||||||
#ifdef MALLOC_LOG
|
#ifdef MALLOC_LOG
|
||||||
|
|||||||
22
puttymem.h
22
puttymem.h
@ -11,18 +11,22 @@
|
|||||||
|
|
||||||
/* #define MALLOC_LOG do this if you suspect putty of leaking memory */
|
/* #define MALLOC_LOG do this if you suspect putty of leaking memory */
|
||||||
#ifdef MALLOC_LOG
|
#ifdef MALLOC_LOG
|
||||||
#define smalloc(z) (mlog(__FILE__,__LINE__), safemalloc(z))
|
#define smalloc(z) (mlog(__FILE__,__LINE__), safemalloc(z,1))
|
||||||
#define srealloc(y,z) (mlog(__FILE__,__LINE__), saferealloc(y,z))
|
#define snmalloc(z,s) (mlog(__FILE__,__LINE__), safemalloc(z,s))
|
||||||
|
#define srealloc(y,z) (mlog(__FILE__,__LINE__), saferealloc(y,z,1))
|
||||||
|
#define snrealloc(y,z) (mlog(__FILE__,__LINE__), saferealloc(y,z,s))
|
||||||
#define sfree(z) (mlog(__FILE__,__LINE__), safefree(z))
|
#define sfree(z) (mlog(__FILE__,__LINE__), safefree(z))
|
||||||
void mlog(char *, int);
|
void mlog(char *, int);
|
||||||
#else
|
#else
|
||||||
#define smalloc safemalloc
|
#define smalloc(z) safemalloc(z,1)
|
||||||
#define srealloc saferealloc
|
#define snmalloc safemalloc
|
||||||
|
#define srealloc(y,z) saferealloc(y,z,1)
|
||||||
|
#define snrealloc saferealloc
|
||||||
#define sfree safefree
|
#define sfree safefree
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
void *safemalloc(size_t);
|
void *safemalloc(size_t, size_t);
|
||||||
void *saferealloc(void *, size_t);
|
void *saferealloc(void *, size_t, size_t);
|
||||||
void safefree(void *);
|
void safefree(void *);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -31,8 +35,8 @@ void safefree(void *);
|
|||||||
* you don't mistakenly allocate enough space for one sort of
|
* you don't mistakenly allocate enough space for one sort of
|
||||||
* structure and assign it to a different sort of pointer.
|
* structure and assign it to a different sort of pointer.
|
||||||
*/
|
*/
|
||||||
#define snew(type) ((type *)smalloc(sizeof(type)))
|
#define snew(type) ((type *)snmalloc(1, sizeof(type)))
|
||||||
#define snewn(n, type) ((type *)smalloc((n)*sizeof(type)))
|
#define snewn(n, type) ((type *)snmalloc((n), sizeof(type)))
|
||||||
#define sresize(ptr, n, type) ((type *)srealloc(ptr, (n)*sizeof(type)))
|
#define sresize(ptr, n, type) ((type *)snrealloc((ptr), (n), sizeof(type)))
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
199
sftp.c
199
sftp.c
@ -27,8 +27,8 @@
|
|||||||
|
|
||||||
struct sftp_packet {
|
struct sftp_packet {
|
||||||
char *data;
|
char *data;
|
||||||
int length, maxlen;
|
unsigned length, maxlen;
|
||||||
int savedpos;
|
unsigned savedpos;
|
||||||
int type;
|
int type;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -139,61 +139,67 @@ static void sftp_pkt_addattrs(struct sftp_packet *pkt, struct fxp_attrs attrs)
|
|||||||
* SFTP packet decode functions.
|
* SFTP packet decode functions.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
static unsigned char sftp_pkt_getbyte(struct sftp_packet *pkt)
|
static int sftp_pkt_getbyte(struct sftp_packet *pkt, unsigned char *ret)
|
||||||
{
|
{
|
||||||
unsigned char value;
|
|
||||||
if (pkt->length - pkt->savedpos < 1)
|
if (pkt->length - pkt->savedpos < 1)
|
||||||
return 0; /* arrgh, no way to decline (FIXME?) */
|
return 0;
|
||||||
value = (unsigned char) pkt->data[pkt->savedpos];
|
*ret = (unsigned char) pkt->data[pkt->savedpos];
|
||||||
pkt->savedpos++;
|
pkt->savedpos++;
|
||||||
return value;
|
return 1;
|
||||||
}
|
}
|
||||||
static unsigned long sftp_pkt_getuint32(struct sftp_packet *pkt)
|
static int sftp_pkt_getuint32(struct sftp_packet *pkt, unsigned long *ret)
|
||||||
{
|
{
|
||||||
unsigned long value;
|
|
||||||
if (pkt->length - pkt->savedpos < 4)
|
if (pkt->length - pkt->savedpos < 4)
|
||||||
return 0; /* arrgh, no way to decline (FIXME?) */
|
return 0;
|
||||||
value = GET_32BIT(pkt->data + pkt->savedpos);
|
*ret = GET_32BIT(pkt->data + pkt->savedpos);
|
||||||
pkt->savedpos += 4;
|
pkt->savedpos += 4;
|
||||||
return value;
|
return 1;
|
||||||
}
|
}
|
||||||
static void sftp_pkt_getstring(struct sftp_packet *pkt,
|
static int sftp_pkt_getstring(struct sftp_packet *pkt,
|
||||||
char **p, int *length)
|
char **p, int *length)
|
||||||
{
|
{
|
||||||
*p = NULL;
|
*p = NULL;
|
||||||
if (pkt->length - pkt->savedpos < 4)
|
if (pkt->length - pkt->savedpos < 4)
|
||||||
return;
|
return 0;
|
||||||
*length = GET_32BIT(pkt->data + pkt->savedpos);
|
*length = GET_32BIT(pkt->data + pkt->savedpos);
|
||||||
pkt->savedpos += 4;
|
pkt->savedpos += 4;
|
||||||
if (pkt->length - pkt->savedpos < *length)
|
if (pkt->length - pkt->savedpos < *length || *length < 0) {
|
||||||
return;
|
*length = 0;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
*p = pkt->data + pkt->savedpos;
|
*p = pkt->data + pkt->savedpos;
|
||||||
pkt->savedpos += *length;
|
pkt->savedpos += *length;
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
static struct fxp_attrs sftp_pkt_getattrs(struct sftp_packet *pkt)
|
static int sftp_pkt_getattrs(struct sftp_packet *pkt, struct fxp_attrs *ret)
|
||||||
{
|
{
|
||||||
struct fxp_attrs ret;
|
if (!sftp_pkt_getuint32(pkt, &ret->flags))
|
||||||
ret.flags = sftp_pkt_getuint32(pkt);
|
return 0;
|
||||||
if (ret.flags & SSH_FILEXFER_ATTR_SIZE) {
|
if (ret->flags & SSH_FILEXFER_ATTR_SIZE) {
|
||||||
unsigned long hi, lo;
|
unsigned long hi, lo;
|
||||||
hi = sftp_pkt_getuint32(pkt);
|
if (!sftp_pkt_getuint32(pkt, &hi) ||
|
||||||
lo = sftp_pkt_getuint32(pkt);
|
!sftp_pkt_getuint32(pkt, &lo))
|
||||||
ret.size = uint64_make(hi, lo);
|
return 0;
|
||||||
|
ret->size = uint64_make(hi, lo);
|
||||||
}
|
}
|
||||||
if (ret.flags & SSH_FILEXFER_ATTR_UIDGID) {
|
if (ret->flags & SSH_FILEXFER_ATTR_UIDGID) {
|
||||||
ret.uid = sftp_pkt_getuint32(pkt);
|
if (!sftp_pkt_getuint32(pkt, &ret->uid) ||
|
||||||
ret.gid = sftp_pkt_getuint32(pkt);
|
!sftp_pkt_getuint32(pkt, &ret->gid))
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
if (ret.flags & SSH_FILEXFER_ATTR_PERMISSIONS) {
|
if (ret->flags & SSH_FILEXFER_ATTR_PERMISSIONS) {
|
||||||
ret.permissions = sftp_pkt_getuint32(pkt);
|
if (!sftp_pkt_getuint32(pkt, &ret->permissions))
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
if (ret.flags & SSH_FILEXFER_ATTR_ACMODTIME) {
|
if (ret->flags & SSH_FILEXFER_ATTR_ACMODTIME) {
|
||||||
ret.atime = sftp_pkt_getuint32(pkt);
|
if (!sftp_pkt_getuint32(pkt, &ret->atime) ||
|
||||||
ret.mtime = sftp_pkt_getuint32(pkt);
|
!sftp_pkt_getuint32(pkt, &ret->mtime))
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
if (ret.flags & SSH_FILEXFER_ATTR_EXTENDED) {
|
if (ret->flags & SSH_FILEXFER_ATTR_EXTENDED) {
|
||||||
int count;
|
unsigned long count;
|
||||||
count = sftp_pkt_getuint32(pkt);
|
if (!sftp_pkt_getuint32(pkt, &count))
|
||||||
|
return 0;
|
||||||
while (count--) {
|
while (count--) {
|
||||||
char *str;
|
char *str;
|
||||||
int len;
|
int len;
|
||||||
@ -201,11 +207,12 @@ static struct fxp_attrs sftp_pkt_getattrs(struct sftp_packet *pkt)
|
|||||||
* We should try to analyse these, if we ever find one
|
* We should try to analyse these, if we ever find one
|
||||||
* we recognise.
|
* we recognise.
|
||||||
*/
|
*/
|
||||||
sftp_pkt_getstring(pkt, &str, &len);
|
if (!sftp_pkt_getstring(pkt, &str, &len) ||
|
||||||
sftp_pkt_getstring(pkt, &str, &len);
|
!sftp_pkt_getstring(pkt, &str, &len))
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return ret;
|
return 1;
|
||||||
}
|
}
|
||||||
static void sftp_pkt_free(struct sftp_packet *pkt)
|
static void sftp_pkt_free(struct sftp_packet *pkt)
|
||||||
{
|
{
|
||||||
@ -230,6 +237,7 @@ struct sftp_packet *sftp_recv(void)
|
|||||||
{
|
{
|
||||||
struct sftp_packet *pkt;
|
struct sftp_packet *pkt;
|
||||||
char x[4];
|
char x[4];
|
||||||
|
unsigned char uc;
|
||||||
|
|
||||||
if (!sftp_recvdata(x, 4))
|
if (!sftp_recvdata(x, 4))
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -244,7 +252,12 @@ struct sftp_packet *sftp_recv(void)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
pkt->type = sftp_pkt_getbyte(pkt);
|
if (!sftp_pkt_getbyte(pkt, &uc)) {
|
||||||
|
sftp_pkt_free(pkt);
|
||||||
|
return NULL;
|
||||||
|
} else {
|
||||||
|
pkt->type = uc;
|
||||||
|
}
|
||||||
|
|
||||||
return pkt;
|
return pkt;
|
||||||
}
|
}
|
||||||
@ -357,7 +370,10 @@ struct sftp_request *sftp_find_request(struct sftp_packet *pktin)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
id = sftp_pkt_getuint32(pktin);
|
if (!sftp_pkt_getuint32(pktin, &id)) {
|
||||||
|
fxp_internal_error("did not receive a valid SFTP packet\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
req = find234(sftp_requests, &id, sftp_reqfind);
|
req = find234(sftp_requests, &id, sftp_reqfind);
|
||||||
|
|
||||||
if (!req || !req->registered) {
|
if (!req || !req->registered) {
|
||||||
@ -413,13 +429,19 @@ static int fxp_got_status(struct sftp_packet *pktin)
|
|||||||
fxp_error_message = "expected FXP_STATUS packet";
|
fxp_error_message = "expected FXP_STATUS packet";
|
||||||
fxp_errtype = -1;
|
fxp_errtype = -1;
|
||||||
} else {
|
} else {
|
||||||
fxp_errtype = sftp_pkt_getuint32(pktin);
|
unsigned long ul;
|
||||||
|
if (!sftp_pkt_getuint32(pktin, &ul)) {
|
||||||
|
fxp_error_message = "malformed FXP_STATUS packet";
|
||||||
|
fxp_errtype = -1;
|
||||||
|
} else {
|
||||||
|
fxp_errtype = ul;
|
||||||
if (fxp_errtype < 0 ||
|
if (fxp_errtype < 0 ||
|
||||||
fxp_errtype >= sizeof(messages) / sizeof(*messages))
|
fxp_errtype >= sizeof(messages) / sizeof(*messages))
|
||||||
fxp_error_message = "unknown error code";
|
fxp_error_message = "unknown error code";
|
||||||
else
|
else
|
||||||
fxp_error_message = messages[fxp_errtype];
|
fxp_error_message = messages[fxp_errtype];
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (fxp_errtype == SSH_FX_OK)
|
if (fxp_errtype == SSH_FX_OK)
|
||||||
return 1;
|
return 1;
|
||||||
@ -451,7 +473,7 @@ int fxp_error_type(void)
|
|||||||
int fxp_init(void)
|
int fxp_init(void)
|
||||||
{
|
{
|
||||||
struct sftp_packet *pktout, *pktin;
|
struct sftp_packet *pktout, *pktin;
|
||||||
int remotever;
|
unsigned long remotever;
|
||||||
|
|
||||||
pktout = sftp_pkt_init(SSH_FXP_INIT);
|
pktout = sftp_pkt_init(SSH_FXP_INIT);
|
||||||
sftp_pkt_adduint32(pktout, SFTP_PROTO_VERSION);
|
sftp_pkt_adduint32(pktout, SFTP_PROTO_VERSION);
|
||||||
@ -467,7 +489,11 @@ int fxp_init(void)
|
|||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
remotever = sftp_pkt_getuint32(pktin);
|
if (!sftp_pkt_getuint32(pktin, &remotever)) {
|
||||||
|
fxp_internal_error("malformed FXP_VERSION packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
if (remotever > SFTP_PROTO_VERSION) {
|
if (remotever > SFTP_PROTO_VERSION) {
|
||||||
fxp_internal_error
|
fxp_internal_error
|
||||||
("remote protocol is more advanced than we support");
|
("remote protocol is more advanced than we support");
|
||||||
@ -507,18 +533,16 @@ char *fxp_realpath_recv(struct sftp_packet *pktin, struct sftp_request *req)
|
|||||||
sfree(req);
|
sfree(req);
|
||||||
|
|
||||||
if (pktin->type == SSH_FXP_NAME) {
|
if (pktin->type == SSH_FXP_NAME) {
|
||||||
int count;
|
unsigned long count;
|
||||||
char *path;
|
char *path;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
count = sftp_pkt_getuint32(pktin);
|
if (!sftp_pkt_getuint32(pktin, &count) || count != 1) {
|
||||||
if (count != 1) {
|
fxp_internal_error("REALPATH did not return name count of 1\n");
|
||||||
fxp_internal_error("REALPATH returned name count != 1\n");
|
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
sftp_pkt_getstring(pktin, &path, &len);
|
if (!sftp_pkt_getstring(pktin, &path, &len)) {
|
||||||
if (!path) {
|
|
||||||
fxp_internal_error("REALPATH returned malformed FXP_NAME\n");
|
fxp_internal_error("REALPATH returned malformed FXP_NAME\n");
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -561,8 +585,7 @@ struct fxp_handle *fxp_open_recv(struct sftp_packet *pktin,
|
|||||||
struct fxp_handle *handle;
|
struct fxp_handle *handle;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
sftp_pkt_getstring(pktin, &hstring, &len);
|
if (!sftp_pkt_getstring(pktin, &hstring, &len)) {
|
||||||
if (!hstring) {
|
|
||||||
fxp_internal_error("OPEN returned malformed FXP_HANDLE\n");
|
fxp_internal_error("OPEN returned malformed FXP_HANDLE\n");
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -604,8 +627,7 @@ struct fxp_handle *fxp_opendir_recv(struct sftp_packet *pktin,
|
|||||||
struct fxp_handle *handle;
|
struct fxp_handle *handle;
|
||||||
int len;
|
int len;
|
||||||
|
|
||||||
sftp_pkt_getstring(pktin, &hstring, &len);
|
if (!sftp_pkt_getstring(pktin, &hstring, &len)) {
|
||||||
if (!hstring) {
|
|
||||||
fxp_internal_error("OPENDIR returned malformed FXP_HANDLE\n");
|
fxp_internal_error("OPENDIR returned malformed FXP_HANDLE\n");
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -773,7 +795,11 @@ int fxp_stat_recv(struct sftp_packet *pktin, struct sftp_request *req,
|
|||||||
{
|
{
|
||||||
sfree(req);
|
sfree(req);
|
||||||
if (pktin->type == SSH_FXP_ATTRS) {
|
if (pktin->type == SSH_FXP_ATTRS) {
|
||||||
*attrs = sftp_pkt_getattrs(pktin);
|
if (!sftp_pkt_getattrs(pktin, attrs)) {
|
||||||
|
fxp_internal_error("malformed SSH_FXP_ATTRS packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
@ -802,7 +828,11 @@ int fxp_fstat_recv(struct sftp_packet *pktin, struct sftp_request *req,
|
|||||||
{
|
{
|
||||||
sfree(req);
|
sfree(req);
|
||||||
if (pktin->type == SSH_FXP_ATTRS) {
|
if (pktin->type == SSH_FXP_ATTRS) {
|
||||||
*attrs = sftp_pkt_getattrs(pktin);
|
if (!sftp_pkt_getattrs(pktin, attrs)) {
|
||||||
|
fxp_internal_error("malformed SSH_FXP_ATTRS packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
@ -900,7 +930,11 @@ int fxp_read_recv(struct sftp_packet *pktin, struct sftp_request *req,
|
|||||||
char *str;
|
char *str;
|
||||||
int rlen;
|
int rlen;
|
||||||
|
|
||||||
sftp_pkt_getstring(pktin, &str, &rlen);
|
if (!sftp_pkt_getstring(pktin, &str, &rlen)) {
|
||||||
|
fxp_internal_error("READ returned malformed SSH_FXP_DATA packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
if (rlen > len || rlen < 0) {
|
if (rlen > len || rlen < 0) {
|
||||||
fxp_internal_error("READ returned more bytes than requested");
|
fxp_internal_error("READ returned more bytes than requested");
|
||||||
@ -941,18 +975,55 @@ struct fxp_names *fxp_readdir_recv(struct sftp_packet *pktin,
|
|||||||
sfree(req);
|
sfree(req);
|
||||||
if (pktin->type == SSH_FXP_NAME) {
|
if (pktin->type == SSH_FXP_NAME) {
|
||||||
struct fxp_names *ret;
|
struct fxp_names *ret;
|
||||||
int i;
|
unsigned long i;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Sanity-check the number of names. Minimum is obviously
|
||||||
|
* zero. Maximum is the remaining space in the packet
|
||||||
|
* divided by the very minimum length of a name, which is
|
||||||
|
* 12 bytes (4 for an empty filename, 4 for an empty
|
||||||
|
* longname, 4 for a set of attribute flags indicating that
|
||||||
|
* no other attributes are supplied).
|
||||||
|
*/
|
||||||
|
if (!sftp_pkt_getuint32(pktin, &i) ||
|
||||||
|
i > (pktin->length-pktin->savedpos)/12) {
|
||||||
|
fxp_internal_error("malformed FXP_NAME packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Ensure the implicit multiplication in the snewn() call
|
||||||
|
* doesn't suffer integer overflow and cause us to malloc
|
||||||
|
* too little space.
|
||||||
|
*/
|
||||||
|
if (i > INT_MAX / sizeof(struct fxp_name)) {
|
||||||
|
fxp_internal_error("unreasonably large FXP_NAME packet");
|
||||||
|
sftp_pkt_free(pktin);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
ret = snew(struct fxp_names);
|
ret = snew(struct fxp_names);
|
||||||
ret->nnames = sftp_pkt_getuint32(pktin);
|
ret->nnames = i;
|
||||||
ret->names = snewn(ret->nnames, struct fxp_name);
|
ret->names = snewn(ret->nnames, struct fxp_name);
|
||||||
for (i = 0; i < ret->nnames; i++) {
|
for (i = 0; i < ret->nnames; i++) {
|
||||||
char *str;
|
char *str1, *str2;
|
||||||
int len;
|
int len1, len2;
|
||||||
sftp_pkt_getstring(pktin, &str, &len);
|
if (!sftp_pkt_getstring(pktin, &str1, &len1) ||
|
||||||
ret->names[i].filename = mkstr(str, len);
|
!sftp_pkt_getstring(pktin, &str2, &len2) ||
|
||||||
sftp_pkt_getstring(pktin, &str, &len);
|
!sftp_pkt_getattrs(pktin, &ret->names[i].attrs)) {
|
||||||
ret->names[i].longname = mkstr(str, len);
|
fxp_internal_error("malformed FXP_NAME packet");
|
||||||
ret->names[i].attrs = sftp_pkt_getattrs(pktin);
|
while (i--) {
|
||||||
|
sfree(ret->names[i].filename);
|
||||||
|
sfree(ret->names[i].longname);
|
||||||
|
}
|
||||||
|
sfree(ret->names);
|
||||||
|
sfree(ret);
|
||||||
|
sfree(pktin);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
ret->names[i].filename = mkstr(str1, len1);
|
||||||
|
ret->names[i].longname = mkstr(str2, len2);
|
||||||
}
|
}
|
||||||
sftp_pkt_free(pktin);
|
sftp_pkt_free(pktin);
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user