1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Tighten up bounds-checking of agent responses.

I think an agent sending a string length exceeding the buffer bounds
by less than 4 could have made PuTTY read beyond its own buffer end.
Not that I really think a hostile SSH agent is likely to be attacking
PuTTY, but it's as well to fix these things anyway!
This commit is contained in:
Simon Tatham 2017-02-14 21:52:28 +00:00
parent 50965a6411
commit a146ab2e7a

12
ssh.c
View File

@ -9445,21 +9445,25 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
goto done_agent_query;
}
bloblen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (bloblen < 0 || bloblen > lenleft) {
logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0;
goto done_agent_query;
}
lenleft -= 4 + bloblen;
q += 4 + bloblen;
lenleft -= bloblen;
q += bloblen;
commentlen = toint(GET_32BIT(q));
lenleft -= 4;
q += 4;
if (commentlen < 0 || commentlen > lenleft) {
logeventf(ssh, "Pageant response was truncated");
s->nkeys = 0;
goto done_agent_query;
}
lenleft -= 4 + commentlen;
q += 4 + commentlen;
lenleft -= commentlen;
q += commentlen;
}
}