lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-11-23 01:22:37 +03:00
Code Activity

Guard against out-of-bounds reads in session.c

Browse Source
This commit is contained in:
Michael Buckley
2018-12-06 12:22:10 -08:00
parent 8031a60518
commit 09240d8917
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/session.c
View File

@@ -783,6 +783,7 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
session->startup_service_length = session->startup_service_length =
_libssh2_ntohu32(session->startup_data + 1); _libssh2_ntohu32(session->startup_data + 1);
if((session->startup_service_length != (sizeof("ssh-userauth") - 1)) if((session->startup_service_length != (sizeof("ssh-userauth") - 1))
|| strncmp("ssh-userauth", (char *) session->startup_data + 5, || strncmp("ssh-userauth", (char *) session->startup_data + 5,
session->startup_service_length)) { session->startup_service_length)) {
@@ -1429,6 +1430,11 @@ libssh2_poll_channel_read(LIBSSH2_CHANNEL *channel, int extended)
packet = _libssh2_list_first(&session->packets); packet = _libssh2_list_first(&session->packets);
while(packet) { while(packet) {
if (packet->data_len < 5) {
return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
"Packet too small");
}
if(channel->local.id == _libssh2_ntohu32(packet->data + 1)) { if(channel->local.id == _libssh2_ntohu32(packet->data + 1)) {
if(extended == 1 && if(extended == 1 &&
(packet->data[0] == SSH_MSG_CHANNEL_EXTENDED_DATA (packet->data[0] == SSH_MSG_CHANNEL_EXTENDED_DATA