From 9ef0837c80eea152244500302f05639a2a70b9af Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Sun, 13 Sep 2009 22:07:01 +0200
Subject: [PATCH] Fix the security bug found by Orange Labs

Verify the length of decrypt operation is a multiple of blocksize
---
 libssh/crypt.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libssh/crypt.c b/libssh/crypt.c
index 3e9a8525..5c95e62d 100644
--- a/libssh/crypt.c
+++ b/libssh/crypt.c
@@ -60,7 +60,10 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){
 int packet_decrypt(SSH_SESSION *session, void *data,u32 len) {
   struct crypto_struct *crypto = session->current_crypto->in_cipher;
   char *out = NULL;
-
+  if(len % session->current_crypto->in_cipher->blocksize != 0){
+    ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+    return SSH_ERROR;
+  }
   out = malloc(len);
   if (out == NULL) {
     return -1;
@@ -100,7 +103,10 @@ unsigned char *packet_encrypt(SSH_SESSION *session, void *data, u32 len) {
   if (!session->current_crypto) {
     return NULL; /* nothing to do here */
   }
-
+  if(len % session->current_crypto->in_cipher->blocksize != 0){
+      ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+      return NULL;
+  }
   out = malloc(len);
   if (out == NULL) {
     return NULL;