upstream commit

check number of entries in SSH2_FXP_NAME response; avoids unreachable overflow later. Reported by Jann Horn Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
author: djm@openbsd.org <djm@openbsd.org> 2017-01-03 05:46:51 +0000
committer: Damien Miller <djm@mindrot.org> 2017-01-04 13:23:04 +1100
commit: c7995f296b9222df2846f56ecf61e5ae13d7a53d (patch)
tree: 8c8d72c7d3c9989ee92862a6bb3b2930c6404d65 /sftp-client.c
parent: ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/sftp-client.c b/sftp-client.c
index e65c15c8f..d47be0ea5 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */
 /*
 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
 *
@@ -587,6 +587,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
                if ((r = sshbuf_get_u32(msg, &count)) != 0)
                        fatal("%s: buffer error: %s", __func__, ssh_err(r));
+                if (count > SSHBUF_SIZE_MAX)
+                        fatal("%s: nonsensical number of entries", __func__);
                if (count == 0)
                        break;
                debug3("Received %d SSH2_FXP_NAME responses", count);
author	djm@openbsd.org <djm@openbsd.org>	2017-01-03 05:46:51 +0000
committer	Damien Miller <djm@mindrot.org>	2017-01-04 13:23:04 +1100
commit	c7995f296b9222df2846f56ecf61e5ae13d7a53d (patch)
tree	8c8d72c7d3c9989ee92862a6bb3b2930c6404d65 /sftp-client.c
parent	ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 (diff)