packet: Add a bound check for nr_extensions

CID 1395335 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
author: Andreas Schneider <asn@cryptomilk.org> 2018-09-01 09:26:37 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2018-09-01 09:40:44 +0200
commit: 461ebd1e2fa7649397348321dc3d702a7d49e18d (patch)
tree: 47379531cc271c2127defbb14759a55137656b26 /src/packet_cb.c
parent: be147e897d4a5d0147308722214e7ade20bb67f6 (diff)
download: libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.tar.gz
libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.tar.xz
libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/packet_cb.c b/src/packet_cb.c
index c3a1997f..6dfcbcab 100644
--- a/src/packet_cb.c
+++ b/src/packet_cb.c
@@ -291,7 +291,13 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info)
         SSH_LOG(SSH_LOG_PACKET, "Failed to read number of extensions");
         return SSH_PACKET_USED;
     }
+
     nr_extensions = ntohl(nr_extensions);
+    if (nr_extensions > 128) {
+        SSH_LOG(SSH_LOG_PACKET, "Invalid number of extensions");
+        return SSH_PACKET_USED;
+    }
+
     SSH_LOG(SSH_LOG_PACKET, "Follows %u extensions", nr_extensions);
 
     for (i = 0; i < nr_extensions; i++) {
author	Andreas Schneider <asn@cryptomilk.org>	2018-09-01 09:26:37 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2018-09-01 09:40:44 +0200
commit	461ebd1e2fa7649397348321dc3d702a7d49e18d (patch)
tree	47379531cc271c2127defbb14759a55137656b26 /src/packet_cb.c
parent	be147e897d4a5d0147308722214e7ade20bb67f6 (diff)
download	libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.tar.gz libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.tar.xz libssh-461ebd1e2fa7649397348321dc3d702a7d49e18d.zip