From 461ebd1e2fa7649397348321dc3d702a7d49e18d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Sat, 1 Sep 2018 09:26:37 +0200 Subject: packet: Add a bound check for nr_extensions CID 1395335 Signed-off-by: Andreas Schneider --- src/packet_cb.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/packet_cb.c') diff --git a/src/packet_cb.c b/src/packet_cb.c index c3a1997f..6dfcbcab 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -291,7 +291,13 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info) SSH_LOG(SSH_LOG_PACKET, "Failed to read number of extensions"); return SSH_PACKET_USED; } + nr_extensions = ntohl(nr_extensions); + if (nr_extensions > 128) { + SSH_LOG(SSH_LOG_PACKET, "Invalid number of extensions"); + return SSH_PACKET_USED; + } + SSH_LOG(SSH_LOG_PACKET, "Follows %u extensions", nr_extensions); for (i = 0; i < nr_extensions; i++) { -- cgit v1.2.3