From 09240d8917380f9fe8c15b571ffc396bf4190a90 Mon Sep 17 00:00:00 2001
From: Michael Buckley <michael@buckleyisms.com>
Date: Thu, 6 Dec 2018 12:22:10 -0800
Subject: [PATCH] Guard against out-of-bounds reads in session.c

---
 src/session.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/session.c b/src/session.c
index bec76525..1026f27b 100644
--- a/src/session.c
+++ b/src/session.c
@@ -783,6 +783,7 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
         session->startup_service_length =
             _libssh2_ntohu32(session->startup_data + 1);
 
+
         if((session->startup_service_length != (sizeof("ssh-userauth") - 1))
             || strncmp("ssh-userauth", (char *) session->startup_data + 5,
                        session->startup_service_length)) {
@@ -1429,6 +1430,11 @@ libssh2_poll_channel_read(LIBSSH2_CHANNEL *channel, int extended)
     packet = _libssh2_list_first(&session->packets);
 
     while(packet) {
+        if (packet->data_len < 5) {
+            return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+                                  "Packet too small");
+        }
+
         if(channel->local.id == _libssh2_ntohu32(packet->data + 1)) {
             if(extended == 1 &&
                 (packet->data[0] == SSH_MSG_CHANNEL_EXTENDED_DATA