summaryrefslogtreecommitdiff
path: root/packet.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-11-08 21:59:11 +0000
committerDamien Miller <djm@mindrot.org>2016-01-14 12:10:40 +1100
commitd77148e3a3ef6c29b26ec74331455394581aa257 (patch)
tree118afa3b00dc36cfd65b3b4e6638e6592667389d /packet.c
parent076d849e17ab12603627f87b301e2dca71bae518 (diff)
upstream commit
fix OOB read in packet code caused by missing return statement found by Ben Hawkes; ok markus@ deraadt@ Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
Diffstat (limited to 'packet.c')
-rw-r--r--packet.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/packet.c b/packet.c
index 01d3e2970..7b5c419eb 100644
--- a/packet.c
+++ b/packet.c
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
1581 logit("Bad packet length %u.", state->packlen); 1581 logit("Bad packet length %u.", state->packlen);
1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) 1582 if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
1583 return r; 1583 return r;
1584 return SSH_ERR_CONN_CORRUPT;
1584 } 1585 }
1585 sshbuf_reset(state->incoming_packet); 1586 sshbuf_reset(state->incoming_packet);
1586 } else if (state->packlen == 0) { 1587 } else if (state->packlen == 0) {