buffer: Validate the length before before memory allocation

Check if the size the other party sent is a valid size in the transmitted buffer. Thanks to Alex Gaynor for finding and reporting the issue. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2025-11-27 13:21:11 +03:00 · 2017-02-23 16:24:17 +01:00
parent c165c396de
commit 68b7ca6e92
1 changed files with 19 additions and 2 deletions
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -854,10 +854,12 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
        char **cstring;
        void **data;
    } o;
-    size_t len, rlen;
+    size_t len, rlen, max_len;
    va_list ap_copy;
    int count;

+    max_len = ssh_buffer_get_len(buffer);
+
    /* copy the argument list in case a rollback is needed */
    va_copy(ap_copy, ap);

@@ -909,10 +911,16 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
                break;
            }
            len = ntohl(u32len);
-            if (len > UINT_MAX - 1){
+            if (len > max_len - 1) {
                rc = SSH_ERROR;
                break;
            }
+
+            rc = ssh_buffer_validate_length(buffer, len);
+            if (rc != SSH_OK) {
+                break;
+            }
+
            *o.cstring = malloc(len + 1);
            if (*o.cstring == NULL){
                rc = SSH_ERROR;
@@ -931,6 +939,15 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
        }
        case 'P':
            len = va_arg(ap, size_t);
+            if (len > max_len - 1) {
+                rc = SSH_ERROR;
+                break;
+            }
+
+            rc = ssh_buffer_validate_length(buffer, len);
+            if (rc != SSH_OK) {
+                break;
+            }

            o.data = va_arg(ap, void **);
            count++;