diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2017-01-03 05:46:52 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2017-01-03 05:46:52 +0000 |
commit | f73635e9601be04fc5a12934299e485688f1ef17 (patch) | |
tree | 9aa7b0bad4a172ed33a693ae18bb10faedd55d3f /usr.bin | |
parent | 32b30826874a07a695c1f5f963a4fbf8b084955f (diff) |
check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/sftp-client.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/ssh/sftp-client.c b/usr.bin/ssh/sftp-client.c index 0f8b31e3e8f..cdc6730ca5e 100644 --- a/usr.bin/ssh/sftp-client.c +++ b/usr.bin/ssh/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> * @@ -580,6 +580,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, if ((r = sshbuf_get_u32(msg, &count)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (count > SSHBUF_SIZE_MAX) + fatal("%s: nonsensical number of entries", __func__); if (count == 0) break; debug3("Received %d SSH2_FXP_NAME responses", count); |