summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-11-08 21:59:11 +0000
committerDamien Miller <djm@mindrot.org>2015-11-09 14:25:37 +1100
commit2fecfd486bdba9f51b3a789277bb0733ca36e1c0 (patch)
treec05509284f0ad0fa8d3e0fe46175546c224c713f
parent5e288923a303ca672b686908320bc5368ebec6e6 (diff)
upstream commit
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@ Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
Diffstat
-rw-r--r--packet.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/packet.c b/packet.c
index a0dbc2391..4f6433b47 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: packet.c,v 1.216 2015/10/21 11:33:03 gsoares Exp $ */ 1/* $OpenBSD: packet.c,v 1.217 2015/11/08 21:59:11 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1581 logit("Bad packet length %u.", state->packlen); 1581 logit("Bad packet length %u.", state->packlen);
1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) 1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1583 return r; 1583 return r;
1584 return SSH_ERR_CONN_CORRUPT;
1584 } 1585 }
1585 sshbuf_reset(state->incoming_packet); 1586 sshbuf_reset(state->incoming_packet);
1586 } else if (state->packlen == 0) { 1587 } else if (state->packlen == 0) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 01:13:08 +0000