3 files changed, 13 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 9e38de0cc..19671a05e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,9 @@
      [ssh-agent.c]
      don't unlink agent socket when bind() fails, spotted by rich AT
      rich-paul.net, ok markus@
+   - markus@cvs.openbsd.org 2004/10/20 11:48:53
+     [packet.c ssh1.h]
+     disconnect for invalid (out of range) message types.
 
 20041102
  - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
@@ -1821,4 +1824,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3573 2004/11/05 09:26:49 dtucker Exp $
+$Id: ChangeLog,v 1.3574 2004/11/05 09:27:54 dtucker Exp $
diff --git a/packet.c b/packet.c
index 82a569404..7c150fde7 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.115 2004/06/21 17:36:31 avsm Exp $");
+RCSID("$OpenBSD: packet.c,v 1.116 2004/10/20 11:48:53 markus Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -981,6 +981,8 @@ packet_read_poll1(void)
                     buffer_len(&compression_buffer));
         }
         type = buffer_get_char(&incoming_packet);
+        if (type < SSH_MSG_MIN || type > SSH_MSG_MAX)
+                packet_disconnect("Invalid ssh1 packet type: %d", type);
         return type;
 }
 
@@ -1093,6 +1095,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
          * return length of payload (without type field)
          */
         type = buffer_get_char(&incoming_packet);
+        if (type < SSH2_MSG_MIN || type >= SSH2_MSG_LOCAL_MIN)
+                packet_disconnect("Invalid ssh2 packet type: %d", type);
         if (type == SSH2_MSG_NEWKEYS)
                 set_newkeys(MODE_IN);
 #ifdef PACKET_DEBUG
diff --git a/ssh1.h b/ssh1.h
index cc7fbc8b0..1741c229a 100644
--- a/ssh1.h
+++ b/ssh1.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh1.h,v 1.4 2004/07/11 17:48:47 deraadt Exp $        */
+/*      $OpenBSD: ssh1.h,v 1.5 2004/10/20 11:48:53 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -18,6 +18,9 @@
  * for compatibility.  The maximum value is 254; value 255 is reserved for
  * future extension.
  */
+/* Ranges */
+#define SSH_MSG_MIN                             1
+#define SSH_MSG_MAX                             254
 /* Message name */                      /* msg code */  /* arguments */
 #define SSH_MSG_NONE                            0       /* no message */
 #define SSH_MSG_DISCONNECT                      1       /* cause (string) */