aboutsummaryrefslogtreecommitdiff
path: root/libssh
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2009-09-16 22:29:22 +0200
committerAris Adamantiadis <aris@0xbadc0de.be>2009-09-16 22:29:22 +0200
commit7c7096d8f875e9235eab738cb79c71c882615121 (patch)
tree48ef695a4cc1ea6cb4b9296f3b1d8153d545485c /libssh
parentfd7b7bc3b537c0410eb9fb5c3e212dc84b63fb3a (diff)
downloadlibssh-7c7096d8f875e9235eab738cb79c71c882615121.tar.gz
libssh-7c7096d8f875e9235eab738cb79c71c882615121.tar.xz
libssh-7c7096d8f875e9235eab738cb79c71c882615121.zip
Limit the size of acceptable compressed packets
Diffstat (limited to 'libssh')
-rw-r--r--libssh/gzip.c12
-rw-r--r--libssh/packet.c2
2 files changed, 9 insertions, 5 deletions
diff --git a/libssh/gzip.c b/libssh/gzip.c
index 0b2638c2..f82ff5a5 100644
--- a/libssh/gzip.c
+++ b/libssh/gzip.c
@@ -143,7 +143,7 @@ static z_stream *initdecompress(SSH_SESSION *session) {
return stream;
}
-static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) {
+static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source, size_t maxlen) {
z_stream *zin = session->current_crypto->compress_in_ctx;
void *in_ptr = buffer_get_rest(source);
unsigned long in_size = buffer_get_rest_len(source);
@@ -183,17 +183,21 @@ static ssh_buffer gzip_decompress(SSH_SESSION *session, ssh_buffer source) {
buffer_free(dest);
return NULL;
}
-
+ if (buffer_get_len(dest) > maxlen){
+ /* Size of packet exceded, avoid a denial of service attack */
+ buffer_free(dest);
+ return NULL;
+ }
zin->next_out = out_buf;
} while (zin->avail_out == 0);
return dest;
}
-int decompress_buffer(SSH_SESSION *session,ssh_buffer buf){
+int decompress_buffer(SSH_SESSION *session,ssh_buffer buf, size_t maxlen){
ssh_buffer dest = NULL;
- dest = gzip_decompress(session,buf);
+ dest = gzip_decompress(session,buf, maxlen);
if (dest == NULL) {
return -1;
}
diff --git a/libssh/packet.c b/libssh/packet.c
index f0a56b17..0952f341 100644
--- a/libssh/packet.c
+++ b/libssh/packet.c
@@ -192,7 +192,7 @@ static int packet_read2(SSH_SESSION *session) {
#if defined(HAVE_LIBZ) && defined(WITH_LIBZ)
if (session->current_crypto && session->current_crypto->do_compress_in) {
ssh_log(session, SSH_LOG_PACKET, "Decompressing in_buffer ...");
- if (decompress_buffer(session, session->in_buffer) < 0) {
+ if (decompress_buffer(session, session->in_buffer, MAX_PACKET_LEN) < 0) {
goto error;
}
}