shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 18:04:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

sftp: Validate the packet handle before we allocate memory

Browse Source 
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider
2018-09-08 09:12:27 +02:00
parent 573eab0d51
commit 12fc0ea1bf
1 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/sftp.c
View File

@@ -474,6 +474,22 @@ static sftp_message sftp_get_message(sftp_packet packet)
sftp_message msg = NULL; sftp_message msg = NULL;
int rc; int rc;
switch(packet->type) {
case SSH_FXP_STATUS:
case SSH_FXP_HANDLE:
case SSH_FXP_DATA:
case SSH_FXP_ATTRS:
case SSH_FXP_NAME:
case SSH_FXP_EXTENDED_REPLY:
break;
default:
ssh_set_error(packet->sftp->session,
SSH_FATAL,
"Unknown packet type %d",
packet->type);
return NULL;
}
msg = sftp_message_new(sftp); msg = sftp_message_new(sftp);
if (msg == NULL) { if (msg == NULL) {
return NULL; return NULL;
@@ -482,15 +498,6 @@ static sftp_message sftp_get_message(sftp_packet packet)
msg->sftp = packet->sftp; msg->sftp = packet->sftp;
msg->packet_type = packet->type; msg->packet_type = packet->type;
if ((packet->type != SSH_FXP_STATUS) && (packet->type!=SSH_FXP_HANDLE) &&
(packet->type != SSH_FXP_DATA) && (packet->type != SSH_FXP_ATTRS) &&
(packet->type != SSH_FXP_NAME) && (packet->type != SSH_FXP_EXTENDED_REPLY)) {
ssh_set_error(packet->sftp->session, SSH_FATAL,
"Unknown packet type %d", packet->type);
sftp_message_free(msg);
return NULL;
}
rc = ssh_buffer_unpack(packet->payload, "d", &msg->id); rc = ssh_buffer_unpack(packet->payload, "d", &msg->id);
if (rc != SSH_OK) { if (rc != SSH_OK) {
ssh_set_error(packet->sftp->session, SSH_FATAL, ssh_set_error(packet->sftp->session, SSH_FATAL,