upstream commit

fatal() when a remote window update causes the window value to overflow. Reported by Georg Wicherski, ok markus@ Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
author: djm@openbsd.org <djm@openbsd.org> 2015-06-30 05:25:07 +0000
committer: Damien Miller <djm@mindrot.org> 2015-06-30 16:12:20 +1000
commit: 629df770dbadc2accfbe1c81b3f31f876d0acd84 (patch)
tree: e56dd5ecd155755b92b4a45610057c1a9c6edd51 /channels.c
parent: f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/channels.c b/channels.c
index 8069cf1f9..3fe836aad 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.345 2015/06/30 05:23:25 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.346 2015/06/30 05:25:07 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2641,7 +2641,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
 {
        Channel *c;
        int id;
-        u_int adjust;
+        u_int adjust, tmp;
        if (!compat20)
                return 0;
@@ -2657,7 +2657,10 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
        adjust = packet_get_int();
        packet_check_eom();
        debug2("channel %d: rcvd adjust %u", id, adjust);
-        c->remote_window += adjust;
+        if ((tmp = c->remote_window + adjust) < c->remote_window)
+                fatal("channel %d: adjust %u overflows remote window %u",
+                    id, adjust, c->remote_window);
+        c->remote_window = tmp;
        return 0;
 }
author	djm@openbsd.org <djm@openbsd.org>	2015-06-30 05:25:07 +0000
committer	Damien Miller <djm@mindrot.org>	2015-06-30 16:12:20 +1000
commit	629df770dbadc2accfbe1c81b3f31f876d0acd84 (patch)
tree	e56dd5ecd155755b92b4a45610057c1a9c6edd51 /channels.c
parent	f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2 (diff)