diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-11-08 21:59:11 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-01-14 12:10:40 +1100 |
commit | d77148e3a3ef6c29b26ec74331455394581aa257 (patch) | |
tree | 118afa3b00dc36cfd65b3b4e6638e6592667389d /packet.c | |
parent | 076d849e17ab12603627f87b301e2dca71bae518 (diff) |
upstream commit
fix OOB read in packet code caused by missing return
statement found by Ben Hawkes; ok markus@ deraadt@
Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | |||
1581 | logit("Bad packet length %u.", state->packlen); | 1581 | logit("Bad packet length %u.", state->packlen); |
1582 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) | 1582 | if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) |
1583 | return r; | 1583 | return r; |
1584 | return SSH_ERR_CONN_CORRUPT; | ||
1584 | } | 1585 | } |
1585 | sshbuf_reset(state->incoming_packet); | 1586 | sshbuf_reset(state->incoming_packet); |
1586 | } else if (state->packlen == 0) { | 1587 | } else if (state->packlen == 0) { |