shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-07 18:50:27 +09:00
Code Issues Packages Projects Releases Wiki Activity

sftp: Fix size check

Browse Source 
CID: #1296588

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Andreas Schneider
2015-05-05 10:07:16 +02:00
parent a4cecf59d5
commit ca501df8c8
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/sftp.c
View File

@@ -313,7 +313,8 @@ int sftp_packet_write(sftp_session sftp, uint8_t type, ssh_buffer payload){
sftp_packet sftp_packet_read(sftp_session sftp) { sftp_packet sftp_packet_read(sftp_session sftp) {
unsigned char buffer[MAX_BUF_SIZE]; unsigned char buffer[MAX_BUF_SIZE];
sftp_packet packet = NULL; sftp_packet packet = NULL;
uint32_t size; uint32_t tmp;
size_t size;
int r; int r;
packet = malloc(sizeof(struct sftp_packet_struct)); packet = malloc(sizeof(struct sftp_packet_struct));
@@ -336,7 +337,7 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
return NULL; return NULL;
} }
ssh_buffer_add_data(packet->payload, buffer, r); ssh_buffer_add_data(packet->payload, buffer, r);
if (buffer_get_u32(packet->payload, &size) != sizeof(uint32_t)) { if (buffer_get_u32(packet->payload, &tmp) != sizeof(uint32_t)) {
ssh_set_error(sftp->session, SSH_FATAL, "Short sftp packet!"); ssh_set_error(sftp->session, SSH_FATAL, "Short sftp packet!");
ssh_buffer_free(packet->payload); ssh_buffer_free(packet->payload);
SAFE_FREE(packet); SAFE_FREE(packet);
@@ -353,12 +354,13 @@ sftp_packet sftp_packet_read(sftp_session sftp) {
ssh_buffer_add_data(packet->payload, buffer, r); ssh_buffer_add_data(packet->payload, buffer, r);
buffer_get_u8(packet->payload, &packet->type); buffer_get_u8(packet->payload, &packet->type);
size = ntohl(size); size = ntohl(tmp);
if (size == 0 || size > UINT_MAX) { if (size == 0) {
return packet; return packet;
} }
size--; size--;
while (size>0){
while (size > 0 && size < UINT_MAX) {
r=ssh_channel_read(sftp->channel,buffer, r=ssh_channel_read(sftp->channel,buffer,
sizeof(buffer)>size ? size:sizeof(buffer),0); sizeof(buffer)>size ? size:sizeof(buffer),0);