nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00
Code Issues Projects Releases Wiki Activity

Tighten up bounds-checking of agent responses.

Browse Source 
I think an agent sending a string length exceeding the buffer bounds
by less than 4 could have made PuTTY read beyond its own buffer end.
Not that I really think a hostile SSH agent is likely to be attacking
PuTTY, but it's as well to fix these things anyway!
This commit is contained in:
Simon Tatham 2017-02-14 21:52:28 +00:00
parent 50965a6411
commit a146ab2e7a
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssh.c
View File

@ -9445,21 +9445,25 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
goto done_agent_query;
}
bloblen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (bloblen < 0 || bloblen > lenleft) {
logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0;
goto done_agent_query;
}
lenleft -= 4 + bloblen;
q += 4 + bloblen;
lenleft -= bloblen;
q += bloblen;
commentlen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (commentlen < 0 || commentlen > lenleft) {
logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0;
goto done_agent_query;
}
lenleft -= 4 + commentlen;
q += 4 + commentlen;
lenleft -= commentlen;
q += commentlen;
}
}