From f73635e9601be04fc5a12934299e485688f1ef17 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 3 Jan 2017 05:46:52 +0000 Subject: check number of entries in SSH2_FXP_NAME response; avoids unreachable overflow later. Reported by Jann Horn --- usr.bin/ssh/sftp-client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'usr.bin') diff --git a/usr.bin/ssh/sftp-client.c b/usr.bin/ssh/sftp-client.c index 0f8b31e3e8f..cdc6730ca5e 100644 --- a/usr.bin/ssh/sftp-client.c +++ b/usr.bin/ssh/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -580,6 +580,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, if ((r = sshbuf_get_u32(msg, &count)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (count > SSHBUF_SIZE_MAX) + fatal("%s: nonsensical number of entries", __func__); if (count == 0) break; debug3("Received %d SSH2_FXP_NAME responses", count); -- cgit v1.2.3