summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--sftp-server.c18
2 files changed, 19 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 666de04df..b6c16e0e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -124,6 +124,9 @@
124 - stevesk@cvs.openbsd.org 2002/06/06 01:09:41 124 - stevesk@cvs.openbsd.org 2002/06/06 01:09:41
125 [monitor.h] 125 [monitor.h]
126 no trailing comma in enum; china@thewrittenword.com 126 no trailing comma in enum; china@thewrittenword.com
127 - markus@cvs.openbsd.org 2002/06/06 17:12:44
128 [sftp-server.c]
129 discard remaining bytes of current request; ok provos@
127 130
12820020604 13120020604
129 - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed 132 - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
@@ -808,4 +811,4 @@
808 - (stevesk) entropy.c: typo in debug message 811 - (stevesk) entropy.c: typo in debug message
809 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 812 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
810 813
811$Id: ChangeLog,v 1.2177 2002/06/06 21:57:01 mouring Exp $ 814$Id: ChangeLog,v 1.2178 2002/06/06 21:57:54 mouring Exp $
diff --git a/sftp-server.c b/sftp-server.c
index 117e6cc15..beb251a8a 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -22,7 +22,7 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24#include "includes.h" 24#include "includes.h"
25RCSID("$OpenBSD: sftp-server.c,v 1.33 2002/02/13 00:28:13 markus Exp $"); 25RCSID("$OpenBSD: sftp-server.c,v 1.34 2002/06/06 17:12:44 markus Exp $");
26 26
27#include "buffer.h" 27#include "buffer.h"
28#include "bufaux.h" 28#include "bufaux.h"
@@ -956,10 +956,13 @@ static void
956process(void) 956process(void)
957{ 957{
958 u_int msg_len; 958 u_int msg_len;
959 u_int buf_len;
960 u_int consumed;
959 u_int type; 961 u_int type;
960 u_char *cp; 962 u_char *cp;
961 963
962 if (buffer_len(&iqueue) < 5) 964 buf_len = buffer_len(&iqueue);
965 if (buf_len < 5)
963 return; /* Incomplete message. */ 966 return; /* Incomplete message. */
964 cp = buffer_ptr(&iqueue); 967 cp = buffer_ptr(&iqueue);
965 msg_len = GET_32BIT(cp); 968 msg_len = GET_32BIT(cp);
@@ -967,9 +970,10 @@ process(void)
967 error("bad message "); 970 error("bad message ");
968 exit(11); 971 exit(11);
969 } 972 }
970 if (buffer_len(&iqueue) < msg_len + 4) 973 if (buf_len < msg_len + 4)
971 return; 974 return;
972 buffer_consume(&iqueue, 4); 975 buffer_consume(&iqueue, 4);
976 buf_len -= 4;
973 type = buffer_get_char(&iqueue); 977 type = buffer_get_char(&iqueue);
974 switch (type) { 978 switch (type) {
975 case SSH2_FXP_INIT: 979 case SSH2_FXP_INIT:
@@ -1036,6 +1040,14 @@ process(void)
1036 error("Unknown message %d", type); 1040 error("Unknown message %d", type);
1037 break; 1041 break;
1038 } 1042 }
1043 /* discard the remaining bytes from the current packet */
1044 if (buf_len < buffer_len(&iqueue))
1045 fatal("iqueue grows");
1046 consumed = buf_len - buffer_len(&iqueue);
1047 if (msg_len < consumed)
1048 fatal("msg_len %d < consumed %d", msg_len, consumed);
1049 if (msg_len > consumed)
1050 buffer_consume(&iqueue, msg_len - consumed);
1039} 1051}
1040 1052
1041int 1053int
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 12:48:54 +0000