mirror of
https://github.com/libssh2/libssh2.git
synced 2025-11-23 01:22:37 +03:00
packet.c: improved parsing in packet_x11_open (#410)
Use new API to parse data in packet_x11_open() for better bounds checking.
This commit is contained in:
Will Cosgrove
GitHub
63
src/packet.c
63
src/packet.c
@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data,
|
|||||||
LIBSSH2_CHANNEL *channel = x11open_state->channel;
|
LIBSSH2_CHANNEL *channel = x11open_state->channel;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
(void) datalen;
|
|
||||||
|
|
||||||
if(x11open_state->state == libssh2_NB_state_idle) {
|
if(x11open_state->state == libssh2_NB_state_idle) {
|
||||||
unsigned char *s = data + (sizeof("x11") - 1) + 5;
|
|
||||||
x11open_state->sender_channel = _libssh2_ntohu32(s);
|
unsigned long offset = (sizeof("x11") - 1) + 5;
|
||||||
s += 4;
|
size_t temp_len = 0;
|
||||||
x11open_state->initial_window_size = _libssh2_ntohu32(s);
|
struct string_buf buf;
|
||||||
s += 4;
|
buf.data = data;
|
||||||
x11open_state->packet_size = _libssh2_ntohu32(s);
|
buf.dataptr = buf.data;
|
||||||
s += 4;
|
buf.len = datalen;
|
||||||
x11open_state->shost_len = _libssh2_ntohu32(s);
|
|
||||||
s += 4;
|
if(datalen < offset) {
|
||||||
x11open_state->shost = s;
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
s += x11open_state->shost_len;
|
"unexpected data length");
|
||||||
x11open_state->sport = _libssh2_ntohu32(s);
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
buf.dataptr += offset;
|
||||||
|
|
||||||
|
if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) {
|
||||||
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
"unexpected sender channel size");
|
||||||
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) {
|
||||||
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
"unexpected window size");
|
||||||
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) {
|
||||||
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
"unexpected window size");
|
||||||
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) {
|
||||||
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
"unexpected host size");
|
||||||
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
x11open_state->shost_len = (uint32_t)temp_len;
|
||||||
|
|
||||||
|
if(_libssh2_get_u32(&buf, &(x11open_state->sport))) {
|
||||||
|
_libssh2_error(session, LIBSSH2_ERROR_INVAL,
|
||||||
|
"unexpected port size");
|
||||||
|
failure_code = SSH_OPEN_CONNECT_FAILED;
|
||||||
|
goto x11_exit;
|
||||||
|
}
|
||||||
|
|
||||||
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
|
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
|
||||||
"X11 Connection Received from %s:%ld on channel %lu",
|
"X11 Connection Received from %s:%ld on channel %lu",
|
||||||
|
|||||||
Reference in New Issue
Block a user