Applied Francois Dupoux's extra checks for weird packet or padding length in

incoming packets. We really need to bail out this way on weird input. bug report #2814613
2009-07-07 13:26:42 +02:00 · 2009-07-07 13:26:42 +02:00 · acbdbb8914
--- a/src/transport.c
+++ b/src/transport.c
@ -431,7 +431,12 @@ _libssh2_transport_read(LIBSSH2_SESSION * session)
             * and we can extract packet and padding length from it
             */
            p->packet_length = _libssh2_ntohu32(block);
+            if ((p->packet_length < 1) || (p->packet_length > PACKETBUFSIZE))
+                return PACKET_FAIL;
+
            p->padding_length = block[4];
+            if (p->padding_length < 0)
+                return PACKET_FAIL;

            /* total_num is the number of bytes following the initial
               (5 bytes) packet length and padding length fields */