mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
Tighten up bounds-checking of agent responses.
I think an agent sending a string length exceeding the buffer bounds by less than 4 could have made PuTTY read beyond its own buffer end. Not that I really think a hostile SSH agent is likely to be attacking PuTTY, but it's as well to fix these things anyway!
This commit is contained in:
parent
50965a6411
commit
a146ab2e7a
12
ssh.c
12
ssh.c
@ -9445,21 +9445,25 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
|
||||
goto done_agent_query;
|
||||
}
|
||||
bloblen = toint(GET_32BIT(q));
|
||||
lenleft -= 4;
|
||||
q += 4;
|
||||
if (bloblen < 0 || bloblen > lenleft) {
|
||||
logeventf(ssh, "Pageant response was truncated");
|
||||
s->nkeys = 0;
|
||||
goto done_agent_query;
|
||||
}
|
||||
lenleft -= 4 + bloblen;
|
||||
q += 4 + bloblen;
|
||||
lenleft -= bloblen;
|
||||
q += bloblen;
|
||||
commentlen = toint(GET_32BIT(q));
|
||||
lenleft -= 4;
|
||||
q += 4;
|
||||
if (commentlen < 0 || commentlen > lenleft) {
|
||||
logeventf(ssh, "Pageant response was truncated");
|
||||
s->nkeys = 0;
|
||||
goto done_agent_query;
|
||||
}
|
||||
lenleft -= 4 + commentlen;
|
||||
q += 4 + commentlen;
|
||||
lenleft -= commentlen;
|
||||
q += commentlen;
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user