nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-03-22 06:38:37 -05:00
Code Issues Projects Releases Wiki Activity

Tighten up bounds-checking of agent responses.

Browse Source 
I think an agent sending a string length exceeding the buffer bounds
by less than 4 could have made PuTTY read beyond its own buffer end.
Not that I really think a hostile SSH agent is likely to be attacking
PuTTY, but it's as well to fix these things anyway!
This commit is contained in:
Simon Tatham 2017-02-14 21:52:28 +00:00
parent 50965a6411
commit a146ab2e7a
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssh.c
View File

@ -9445,21 +9445,25 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
goto done_agent_query; goto done_agent_query;
} }
bloblen = toint(GET_32BIT(q)); bloblen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (bloblen < 0 || bloblen > lenleft) { if (bloblen < 0 || bloblen > lenleft) {
logeventf(ssh, "Pageant response was truncated"); logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0; s->nkeys = 0;
goto done_agent_query; goto done_agent_query;
} }
lenleft -= 4 + bloblen; lenleft -= bloblen;
q += 4 + bloblen; q += bloblen;
commentlen = toint(GET_32BIT(q)); commentlen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (commentlen < 0 || commentlen > lenleft) { if (commentlen < 0 || commentlen > lenleft) {
logeventf(ssh, "Pageant response was truncated"); logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0; s->nkeys = 0;
goto done_agent_query; goto done_agent_query;
} }
lenleft -= 4 + commentlen; lenleft -= commentlen;
q += 4 + commentlen; q += commentlen;
} }
} }