summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2017-01-03 05:46:52 +0000
committerDamien Miller <djm@cvs.openbsd.org>2017-01-03 05:46:52 +0000
commitf73635e9601be04fc5a12934299e485688f1ef17 (patch)
tree9aa7b0bad4a172ed33a693ae18bb10faedd55d3f /usr.bin
parent32b30826874a07a695c1f5f963a4fbf8b084955f (diff)
check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/sftp-client.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/ssh/sftp-client.c b/usr.bin/ssh/sftp-client.c
index 0f8b31e3e8f..cdc6730ca5e 100644
--- a/usr.bin/ssh/sftp-client.c
+++ b/usr.bin/ssh/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@@ -580,6 +580,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
if ((r = sshbuf_get_u32(msg, &count)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (count > SSHBUF_SIZE_MAX)
+ fatal("%s: nonsensical number of entries", __func__);
if (count == 0)
break;
debug3("Received %d SSH2_FXP_NAME responses", count);