tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: don't attempt to decode a ridiculous number of 

attributes; harmless because of bounds elsewhere, but better to be explicit

OpenBSD-Commit-ID: 1a34f4b6896155b80327d15dc7ccf294b538a9f2
This commit is contained in:
djm@openbsd.org 2023-03-31 04:00:37 +00:00 committed by Damien Miller
parent fc437c154e
commit 4fb29eeafb
No known key found for this signature in database
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sftp-common.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-common.c,v 1.33 2022/09/19 10:41:58 djm Exp $ */ /* $OpenBSD: sftp-common.c,v 1.34 2023/03/31 04:00:37 djm Exp $ */
/* /*
* Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Damien Miller. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved.
@ -137,6 +137,8 @@ decode_attrib(struct sshbuf *b, Attrib *a)
if ((r = sshbuf_get_u32(b, &count)) != 0) if ((r = sshbuf_get_u32(b, &count)) != 0)
return r; return r;
if (count > 0x100000)
return SSH_ERR_INVALID_FORMAT;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 || if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||
(r = sshbuf_get_string(b, &data, &dlen)) != 0) (r = sshbuf_get_string(b, &data, &dlen)) != 0)