diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | channels.c | 9 |
2 files changed, 11 insertions, 4 deletions
@@ -92,6 +92,10 @@ | |||
92 | [scp.c] | 92 | [scp.c] |
93 | duplicate argv at the start of main() because it gets modified later; | 93 | duplicate argv at the start of main() because it gets modified later; |
94 | pointed out by deraadt@ ok markus@ | 94 | pointed out by deraadt@ ok markus@ |
95 | - djm@cvs.openbsd.org 2006/07/10 12:08:08 | ||
96 | [channels.c] | ||
97 | fix misparsing of SOCKS 5 packets that could result in a crash; | ||
98 | reported by mk@ ok markus@ | ||
95 | 99 | ||
96 | 20060706 | 100 | 20060706 |
97 | - (dtucker) [configure.ac] Try AIX blibpath test in different order when | 101 | - (dtucker) [configure.ac] Try AIX blibpath test in different order when |
@@ -4825,4 +4829,4 @@ | |||
4825 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 4829 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
4826 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 4830 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
4827 | 4831 | ||
4828 | $Id: ChangeLog,v 1.4382 2006/07/10 12:19:53 djm Exp $ | 4832 | $Id: ChangeLog,v 1.4383 2006/07/10 12:21:02 djm Exp $ |
diff --git a/channels.c b/channels.c index 5796a8bb9..cd68efded 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.251 2006/07/03 17:59:32 stevesk Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.252 2006/07/10 12:08:08 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1014,7 +1014,7 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) | |||
1014 | } s5_req, s5_rsp; | 1014 | } s5_req, s5_rsp; |
1015 | u_int16_t dest_port; | 1015 | u_int16_t dest_port; |
1016 | u_char *p, dest_addr[255+1]; | 1016 | u_char *p, dest_addr[255+1]; |
1017 | u_int have, i, found, nmethods, addrlen, af; | 1017 | u_int have, need, i, found, nmethods, addrlen, af; |
1018 | 1018 | ||
1019 | debug2("channel %d: decode socks5", c->self); | 1019 | debug2("channel %d: decode socks5", c->self); |
1020 | p = buffer_ptr(&c->input); | 1020 | p = buffer_ptr(&c->input); |
@@ -1075,7 +1075,10 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) | |||
1075 | debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); | 1075 | debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); |
1076 | return -1; | 1076 | return -1; |
1077 | } | 1077 | } |
1078 | if (have < 4 + addrlen + 2) | 1078 | need = sizeof(s5_req) + addrlen + 2; |
1079 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN) | ||
1080 | need++; | ||
1081 | if (have < need) | ||
1079 | return 0; | 1082 | return 0; |
1080 | buffer_consume(&c->input, sizeof(s5_req)); | 1083 | buffer_consume(&c->input, sizeof(s5_req)); |
1081 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN) | 1084 | if (s5_req.atyp == SSH_SOCKS5_DOMAIN) |