mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
winpgntc: check the length field in agent responses.
If the agent sent a response whose length field describes an interval of memory larger than the file-mapping object the message is supposed to be stored in, we shouldn't return that message to the client as if nothing is wrong. Treat that the same as a failure to receive any response at all.
This commit is contained in:
parent
721650bcb1
commit
b38d47e94c
@ -109,13 +109,24 @@ agent_pending_query *agent_query(
|
|||||||
*/
|
*/
|
||||||
id = SendMessage(hwnd, WM_COPYDATA, (WPARAM) NULL, (LPARAM) &cds);
|
id = SendMessage(hwnd, WM_COPYDATA, (WPARAM) NULL, (LPARAM) &cds);
|
||||||
if (id > 0) {
|
if (id > 0) {
|
||||||
retlen = 4 + GET_32BIT_MSB_FIRST(p);
|
uint32_t length_field = GET_32BIT_MSB_FIRST(p);
|
||||||
ret = snewn(retlen, unsigned char);
|
if (length_field > 0 && length_field <= AGENT_MAX_MSGLEN - 4) {
|
||||||
if (ret) {
|
retlen = length_field + 4;
|
||||||
|
ret = snewn(retlen, unsigned char);
|
||||||
memcpy(ret, p, retlen);
|
memcpy(ret, p, retlen);
|
||||||
*out = ret;
|
*out = ret;
|
||||||
*outlen = retlen;
|
*outlen = retlen;
|
||||||
}
|
} else {
|
||||||
|
/*
|
||||||
|
* If we get here, we received an out-of-range length
|
||||||
|
* field, either without space for a message type code or
|
||||||
|
* overflowing the FileMapping.
|
||||||
|
*
|
||||||
|
* Treat this as if Pageant didn't answer at all - which
|
||||||
|
* actually means we do nothing, and just don't fill in
|
||||||
|
* out and outlen.
|
||||||
|
*/
|
||||||
|
}
|
||||||
}
|
}
|
||||||
UnmapViewOfFile(p);
|
UnmapViewOfFile(p);
|
||||||
CloseHandle(filemap);
|
CloseHandle(filemap);
|
||||||
|
Loading…
Reference in New Issue
Block a user