diff options
-rw-r--r-- | libssh/crypt.c | 11 | ||||
-rw-r--r-- | libssh/packet.c | 25 |
2 files changed, 27 insertions, 9 deletions
diff --git a/libssh/crypt.c b/libssh/crypt.c index 49aa44b..75c22df 100644 --- a/libssh/crypt.c +++ b/libssh/crypt.c @@ -39,8 +39,12 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){ u32 decrypted; - if(session->current_crypto) - packet_decrypt(session,crypted,session->current_crypto->in_cipher->blocksize); + if (session->current_crypto) { + if (packet_decrypt(session, crypted, + session->current_crypto->in_cipher->blocksize) < 0) { + return ntohl(0); + } + } memcpy(&decrypted,crypted,sizeof(decrypted)); ssh_log(session, SSH_LOG_PACKET, "Packet size decrypted: %lu (0x%lx)", @@ -52,6 +56,9 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){ int packet_decrypt(SSH_SESSION *session, void *data,u32 len){ struct crypto_struct *crypto=session->current_crypto->in_cipher; char *out=malloc(len); + if (out == NULL) { + return -1; + } ssh_log(session,SSH_LOG_PACKET,"Decrypting %d bytes",len); #ifdef HAVE_LIBGCRYPT crypto->set_decrypt_key(crypto,session->current_crypto->decryptkey,session->current_crypto->decryptIV); diff --git a/libssh/packet.c b/libssh/packet.c index 340d16c..6043e8d 100644 --- a/libssh/packet.c +++ b/libssh/packet.c @@ -111,8 +111,13 @@ static int packet_read2(SSH_SESSION *session){ } if(session->current_crypto){ /* decrypt the rest of the packet (blocksize bytes already have been decrypted */ - packet_decrypt(session,buffer_get(session->in_buffer)+blocksize, - buffer_get_len(session->in_buffer)-blocksize); + if (packet_decrypt(session, + buffer_get(session->in_buffer) + blocksize, + buffer_get_len(session->in_buffer) - blocksize) < 0) { + ssh_set_error(session, SSH_FATAL, "Decrypt error"); + leave_function(); + return SSH_ERROR; + } ssh_socket_read(session->socket,mac,macsize); if(packet_hmac_verify(session,session->in_buffer,mac)){ ssh_set_error(session,SSH_FATAL,"HMAC error"); @@ -216,11 +221,17 @@ static int packet_read1(SSH_SESSION *session){ ssh_print_hexa("read packet:",buffer_get(session->in_buffer), buffer_get_len(session->in_buffer)); #endif - if(session->current_crypto){ - /* we decrypt everything, missing the lenght part (which was previously - * read, unencrypted, and is not part of the buffer - */ - packet_decrypt(session,buffer_get(session->in_buffer),buffer_get_len(session->in_buffer)); + if (session->current_crypto) { + /* we decrypt everything, missing the lenght part (which was + * previously read, unencrypted, and is not part of the buffer + */ + if (packet_decrypt(session, + buffer_get(session->in_buffer), + buffer_get_len(session->in_buffer)) < 0) { + ssh_set_error(session, SSH_FATAL, "Packet decrypt error"); + leave_function(); + return SSH_ERROR; + } } #ifdef DEBUG_CRYPTO ssh_print_hexa("read packet decrypted:", |