packet: Avoid hidden integer underflow

Originally reported by Brian Carpenter b@deepforkcyber.com Based on the never complted MR !724 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Pavol Žáčik <pzacik@redhat.com> Merge-Request: <https://gitlab.com/libssh/libssh-mirror/-/merge_requests/819>
2026-06-11 12:56:21 +09:00 · 2026-04-22 16:57:02 +02:00
parent b2065f71c9
commit 49ad84283e
1 changed files with 9 additions and 0 deletions
--- a/src/packet.c
+++ b/src/packet.c
@@ -1402,6 +1402,15 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                processed = to_be_read - current_macsize;
            }

+            if (packet_offset - sizeof(uint32_t) > (size_t)packet_len) {
+                ssh_set_error(session,
+                              SSH_FATAL,
+                              "Invalid packet length %" PRIu32 ", required %zu",
+                              packet_len,
+                              packet_offset + sizeof(uint32_t));
+                goto error;
+            }
+
            /* remaining encrypted bytes from the packet, MAC not included */
            packet_remaining = packet_len - (packet_offset - sizeof(uint32_t));
            cleartext_packet = ssh_buffer_allocate(session->in_buffer,