lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-27 13:21:11 +03:00
Code Activity

sftp: Fix incorrect handling of received length fields

Browse Source 
Signed-off-by: Tilo Eckert <tilo.eckert@flam.de>
This commit is contained in:
Tilo Eckert
2015-07-31 13:22:02 +02:00
committed by Aris Adamantiadis
parent dc9c4d22ab
commit 672c3be9ed
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/sftp.c
View File

@@ -307,7 +307,7 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
sftp_packet packet = NULL; sftp_packet packet = NULL;
uint32_t tmp; uint32_t tmp;
size_t size; size_t size;
int r; int r, s;
packet = malloc(sizeof(struct sftp_packet_struct)); packet = malloc(sizeof(struct sftp_packet_struct));
if (packet == NULL) { if (packet == NULL) {
@@ -322,12 +322,18 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
return NULL; return NULL;
} }
r=ssh_channel_read(sftp->channel, buffer, 4, 0); r=0;
if (r < 0) { do {
ssh_buffer_free(packet->payload); // read from channel until 4 bytes have been read or an error occurs
SAFE_FREE(packet); s=ssh_channel_read(sftp->channel, buffer+r, 4-r, 0);
return NULL; if (s < 0) {
} ssh_buffer_free(packet->payload);
SAFE_FREE(packet);
return NULL;
} else {
r += s;
}
} while (r<4);
ssh_buffer_add_data(packet->payload, buffer, r); ssh_buffer_add_data(packet->payload, buffer, r);
if (buffer_get_u32(packet->payload, &tmp) != sizeof(uint32_t)) { if (buffer_get_u32(packet->payload, &tmp) != sizeof(uint32_t)) {
ssh_set_error(sftp->session, SSH_FATAL, "Short sftp packet!"); ssh_set_error(sftp->session, SSH_FATAL, "Short sftp packet!");