From a146ab2e7aa984f8f5d7ec97e14bbf7ebeb30823 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Tue, 14 Feb 2017 21:52:28 +0000 Subject: [PATCH] Tighten up bounds-checking of agent responses. I think an agent sending a string length exceeding the buffer bounds by less than 4 could have made PuTTY read beyond its own buffer end. Not that I really think a hostile SSH agent is likely to be attacking PuTTY, but it's as well to fix these things anyway! --- ssh.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ssh.c b/ssh.c index 46b6013b..4de741c7 100644 --- a/ssh.c +++ b/ssh.c @@ -9445,21 +9445,25 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen, goto done_agent_query; } bloblen = toint(GET_32BIT(q)); + lenleft -= 4; + q += 4; if (bloblen < 0 || bloblen > lenleft) { logeventf(ssh, "Pageant response was truncated"); s->nkeys = 0; goto done_agent_query; } - lenleft -= 4 + bloblen; - q += 4 + bloblen; + lenleft -= bloblen; + q += bloblen; commentlen = toint(GET_32BIT(q)); + lenleft -= 4; + q += 4; if (commentlen < 0 || commentlen > lenleft) { logeventf(ssh, "Pageant response was truncated"); s->nkeys = 0; goto done_agent_query; } - lenleft -= 4 + commentlen; - q += 4 + commentlen; + lenleft -= commentlen; + q += commentlen; } }