misc: Make sure ssh_analyze_banner has proper length checks.

src/misc.c

@@ -706,8 +706,21 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
       banner = session->serverbanner;
   }
 
-  if (banner == NULL ||
+  if (banner == NULL) {
-      strlen(banner) <= 4 ||
+      ssh_set_error(session, SSH_FATAL, "Invalid banner");
+      return -1;
+  }
+
+  /*
+   * Typical banners e.g. are:
+   *
+   * SSH-1.5-openSSH_5.4
+   * SSH-1.99-openSSH_3.0
+   *
+   * SSH-2.0-something
+   * 012345678901234567890
+   */
+  if (strlen(banner) < 6 ||
       strncmp(banner, "SSH-", 4) != 0) {
     ssh_set_error(session, SSH_FATAL, "Protocol mismatch: %s", banner);
     return -1;
@@ -715,20 +728,16 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
 
   ssh_log(session, SSH_LOG_RARE, "Analyzing banner: %s", banner);
 
-  /*
-   * Typical banners e.g. are:
-   * SSH-1.5-blah
-   * SSH-1.99-blah
-   * SSH-2.0-blah
-   */
   switch(banner[4]) {
     case '1':
       *ssh1 = 1;
+      if (strlen(banner) > 6) {
           if (banner[6] == '9') {
             *ssh2 = 1;
           } else {
             *ssh2 = 0;
           }
+      }
       break;
     case '2':
       *ssh1 = 0;
@@ -742,6 +751,13 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
   openssh = strstr(banner, "OpenSSH");
   if (openssh != NULL) {
       int major, minor;
+
+      /*
+       * The banner is typical:
+       * OpenSSH_5.4
+       * 012345678901234567890
+       */
+      if (strlen(openss) > 9) {
           major = strtol(openssh + 8, (char **) NULL, 10);
           minor = strtol(openssh + 10, (char **) NULL, 10);
           session->openssh = SSH_VERSION_INT(major, minor, 0);
@@ -749,6 +765,8 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
                   "We are talking to an OpenSSH client version: %d.%d (%x)",
                   major, minor, session->openssh);
       }
+  }
+
 
   return 0;
 }