diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-01-03 05:46:51 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-01-04 13:23:04 +1100 |
commit | c7995f296b9222df2846f56ecf61e5ae13d7a53d (patch) | |
tree | 8c8d72c7d3c9989ee92862a6bb3b2930c6404d65 /sftp-client.c | |
parent | ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 (diff) |
upstream commit
check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn
Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
Diffstat (limited to 'sftp-client.c')
-rw-r--r-- | sftp-client.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sftp-client.c b/sftp-client.c index e65c15c8f..d47be0ea5 100644 --- a/sftp-client.c +++ b/sftp-client.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */ | 1 | /* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> | 3 | * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org> |
4 | * | 4 | * |
@@ -587,6 +587,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, | |||
587 | 587 | ||
588 | if ((r = sshbuf_get_u32(msg, &count)) != 0) | 588 | if ((r = sshbuf_get_u32(msg, &count)) != 0) |
589 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 589 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
590 | if (count > SSHBUF_SIZE_MAX) | ||
591 | fatal("%s: nonsensical number of entries", __func__); | ||
590 | if (count == 0) | 592 | if (count == 0) |
591 | break; | 593 | break; |
592 | debug3("Received %d SSH2_FXP_NAME responses", count); | 594 | debug3("Received %d SSH2_FXP_NAME responses", count); |