From 49ad84283e4e5d8233f804d9de84271befae2a2d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 22 Apr 2026 16:57:02 +0200
Subject: [PATCH] packet: Avoid hidden integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Originally reported by Brian Carpenter b@deepforkcyber.com

Based on the never complted MR !724

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
Merge-Request: <https://gitlab.com/libssh/libssh-mirror/-/merge_requests/819>
---
 src/packet.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/packet.c b/src/packet.c
index 0c78a468..d60bd5dd 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -1402,6 +1402,15 @@ ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
                 processed = to_be_read - current_macsize;
             }
 
+            if (packet_offset - sizeof(uint32_t) > (size_t)packet_len) {
+                ssh_set_error(session,
+                              SSH_FATAL,
+                              "Invalid packet length %" PRIu32 ", required %zu",
+                              packet_len,
+                              packet_offset + sizeof(uint32_t));
+                goto error;
+            }
+
             /* remaining encrypted bytes from the packet, MAC not included */
             packet_remaining = packet_len - (packet_offset - sizeof(uint32_t));
             cleartext_packet = ssh_buffer_allocate(session->in_buffer,