nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 09:58:01 +00:00
Code Issues Projects Releases Wiki Activity

Fix a segfault (non-security-critical - null dereference for

Browse Source 
reading) in the zlib code when fed certain kinds of invalid data. As
a result, ssh.c now needs to be prepared for zlib_decompress_block
to return failure.

[originally from svn r3306]
This commit is contained in:
Simon Tatham 2003-06-26 13:41:30 +00:00
parent 5161740aab
commit d02ea52abc
2 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ssh.c
View File

@ -868,9 +868,12 @@ static int ssh1_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
if (ssh->v1_compressing) { if (ssh->v1_compressing) {
unsigned char *decompblk; unsigned char *decompblk;
int decomplen; int decomplen;
zlib_decompress_block(ssh->sc_comp_ctx, if (!zlib_decompress_block(ssh->sc_comp_ctx,
ssh->pktin.body - 1, ssh->pktin.length + 1, ssh->pktin.body - 1, ssh->pktin.length + 1,
&decompblk, &decomplen); &decompblk, &decomplen)) {
bombout(("Zlib decompression encountered invalid data"));
crStop(0);
}
if (ssh->pktin.maxlen < st->pad + decomplen) { if (ssh->pktin.maxlen < st->pad + decomplen) {
ssh->pktin.maxlen = st->pad + decomplen; ssh->pktin.maxlen = st->pad + decomplen;

23
sshzlib.c
View File

@ -992,6 +992,16 @@ static int zlib_huflookup(unsigned long *bitsp, int *nbitsp,
*nbitsp = nbits; *nbitsp = nbits;
return ent->code; return ent->code;
} }
if (!tab) {
/*
* There was a missing entry in the table, presumably
* due to an invalid Huffman table description, and the
* subsequent data has attempted to use the missing
* entry. Return a decoding failure.
*/
return -2;
}
} }
} }
@ -1099,6 +1109,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
zlib_huflookup(&dctx->bits, &dctx->nbits, dctx->lenlentable); zlib_huflookup(&dctx->bits, &dctx->nbits, dctx->lenlentable);
if (code == -1) if (code == -1)
goto finished; goto finished;
if (code == -2)
goto decode_error;
if (code < 16) if (code < 16)
dctx->lengths[dctx->lenptr++] = code; dctx->lengths[dctx->lenptr++] = code;
else { else {
@ -1128,6 +1140,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
zlib_huflookup(&dctx->bits, &dctx->nbits, dctx->currlentable); zlib_huflookup(&dctx->bits, &dctx->nbits, dctx->currlentable);
if (code == -1) if (code == -1)
goto finished; goto finished;
if (code == -2)
goto decode_error;
if (code < 256) if (code < 256)
zlib_emit_char(dctx, code); zlib_emit_char(dctx, code);
else if (code == 256) { else if (code == 256) {
@ -1160,6 +1174,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
dctx->currdisttable); dctx->currdisttable);
if (code == -1) if (code == -1)
goto finished; goto finished;
if (code == -2)
goto decode_error;
dctx->state = GOTDISTSYM; dctx->state = GOTDISTSYM;
dctx->sym = code; dctx->sym = code;
break; break;
@ -1213,8 +1229,13 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
finished: finished:
*outblock = dctx->outblk; *outblock = dctx->outblk;
*outlen = dctx->outlen; *outlen = dctx->outlen;
return 1; return 1;
decode_error:
sfree(dctx->outblk);
*outblock = dctx->outblk = NULL;
*outlen = 0;
return 0;
} }
const struct ssh_compress ssh_zlib = { const struct ssh_compress ssh_zlib = {