diff options
author | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-09-16 22:29:22 +0200 |
---|---|---|
committer | Aris Adamantiadis <aris@0xbadc0de.be> | 2009-09-16 22:29:22 +0200 |
commit | 7c7096d8f875e9235eab738cb79c71c882615121 (patch) | |
tree | 48ef695a4cc1ea6cb4b9296f3b1d8153d545485c /libssh/gzip.c | |
parent | fd7b7bc3b537c0410eb9fb5c3e212dc84b63fb3a (diff) | |
download | libssh-7c7096d8f875e9235eab738cb79c71c882615121.tar.gz libssh-7c7096d8f875e9235eab738cb79c71c882615121.tar.xz libssh-7c7096d8f875e9235eab738cb79c71c882615121.zip |
Limit the size of acceptable compressed packets
Diffstat (limited to 'libssh/gzip.c')
-rw-r--r-- | libssh/gzip.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/libssh/gzip.c b/libssh/gzip.c index 0b2638c2..f82ff5a5 100644 --- a/libssh/gzip.c +++ b/libssh/gzip.c @@ -143,7 +143,7 @@ static z_stream *initdecompress(SSH_SESSION *session) { return stream; } -static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) { +static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source, size_t maxlen) { z_stream *zin = session->current_crypto->compress_in_ctx; void *in_ptr = buffer_get_rest(source); unsigned long in_size = buffer_get_rest_len(source); @@ -183,17 +183,21 @@ static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) { buffer_free(dest); return NULL; } - + if (buffer_get_len(dest) > maxlen){ + /* Size of packet exceded, avoid a denial of service attack */ + buffer_free(dest); + return NULL; + } zin->next_out = out_buf; } while (zin->avail_out == 0); return dest; } -int decompress_buffer(SSH_SESSION *session,ssh_buffer buf){ +int decompress_buffer(SSH_SESSION *session,ssh_buffer buf, size_t maxlen){ ssh_buffer dest = NULL; - dest = gzip_decompress(session,buf); + dest = gzip_decompress(session,buf, maxlen); if (dest == NULL) { return -1; } |