Limit the size of acceptable compressed packets
Этот коммит содержится в:
Aris Adamantiadis
родитель
fd7b7bc3b5
Коммит
7c7096d8f8
@ -785,7 +785,7 @@ unsigned char *bin_to_base64(const unsigned char *source, int len);
|
|||||||
|
|
||||||
/* gzip.c */
|
/* gzip.c */
|
||||||
int compress_buffer(SSH_SESSION *session,ssh_buffer buf);
|
int compress_buffer(SSH_SESSION *session,ssh_buffer buf);
|
||||||
int decompress_buffer(SSH_SESSION *session,ssh_buffer buf);
|
int decompress_buffer(SSH_SESSION *session,ssh_buffer buf, size_t maxlen);
|
||||||
|
|
||||||
/* wrapper.c */
|
/* wrapper.c */
|
||||||
int crypt_set_algorithms(SSH_SESSION *);
|
int crypt_set_algorithms(SSH_SESSION *);
|
||||||
|
|||||||
@ -143,7 +143,7 @@ static z_stream *initdecompress(SSH_SESSION *session) {
|
|||||||
return stream;
|
return stream;
|
||||||
}
|
}
|
||||||
|
|
||||||
static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) {
|
static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source, size_t maxlen) {
|
||||||
z_stream *zin = session->current_crypto->compress_in_ctx;
|
z_stream *zin = session->current_crypto->compress_in_ctx;
|
||||||
void *in_ptr = buffer_get_rest(source);
|
void *in_ptr = buffer_get_rest(source);
|
||||||
unsigned long in_size = buffer_get_rest_len(source);
|
unsigned long in_size = buffer_get_rest_len(source);
|
||||||
@ -183,17 +183,21 @@ static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) {
|
|||||||
buffer_free(dest);
|
buffer_free(dest);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
if (buffer_get_len(dest) > maxlen){
|
||||||
|
/* Size of packet exceded, avoid a denial of service attack */
|
||||||
|
buffer_free(dest);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
zin->next_out = out_buf;
|
zin->next_out = out_buf;
|
||||||
} while (zin->avail_out == 0);
|
} while (zin->avail_out == 0);
|
||||||
|
|
||||||
return dest;
|
return dest;
|
||||||
}
|
}
|
||||||
|
|
||||||
int decompress_buffer(SSH_SESSION *session,ssh_buffer buf){
|
int decompress_buffer(SSH_SESSION *session,ssh_buffer buf, size_t maxlen){
|
||||||
ssh_buffer dest = NULL;
|
ssh_buffer dest = NULL;
|
||||||
|
|
||||||
dest = gzip_decompress(session,buf);
|
dest = gzip_decompress(session,buf, maxlen);
|
||||||
if (dest == NULL) {
|
if (dest == NULL) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -192,7 +192,7 @@ static int packet_read2(SSH_SESSION *session) {
|
|||||||
#if defined(HAVE_LIBZ) && defined(WITH_LIBZ)
|
#if defined(HAVE_LIBZ) && defined(WITH_LIBZ)
|
||||||
if (session->current_crypto && session->current_crypto->do_compress_in) {
|
if (session->current_crypto && session->current_crypto->do_compress_in) {
|
||||||
ssh_log(session, SSH_LOG_PACKET, "Decompressing in_buffer ...");
|
ssh_log(session, SSH_LOG_PACKET, "Decompressing in_buffer ...");
|
||||||
if (decompress_buffer(session, session->in_buffer) < 0) {
|
if (decompress_buffer(session, session->in_buffer, MAX_PACKET_LEN) < 0) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Загрузка…
x
Ссылка в новой задаче
Block a user