summaryrefslogtreecommitdiff
path: root/sftp-server.c
diff options
context:
space:
mode:
Diffstat (limited to 'sftp-server.c')
-rw-r--r--sftp-server.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/sftp-server.c b/sftp-server.c
index 117e6cc15..beb251a8a 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -22,7 +22,7 @@
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */ 23 */
24#include "includes.h" 24#include "includes.h"
25RCSID("$OpenBSD: sftp-server.c,v 1.33 2002/02/13 00:28:13 markus Exp $"); 25RCSID("$OpenBSD: sftp-server.c,v 1.34 2002/06/06 17:12:44 markus Exp $");
26 26
27#include "buffer.h" 27#include "buffer.h"
28#include "bufaux.h" 28#include "bufaux.h"
@@ -956,10 +956,13 @@ static void
956process(void) 956process(void)
957{ 957{
958 u_int msg_len; 958 u_int msg_len;
959 u_int buf_len;
960 u_int consumed;
959 u_int type; 961 u_int type;
960 u_char *cp; 962 u_char *cp;
961 963
962 if (buffer_len(&iqueue) < 5) 964 buf_len = buffer_len(&iqueue);
965 if (buf_len < 5)
963 return; /* Incomplete message. */ 966 return; /* Incomplete message. */
964 cp = buffer_ptr(&iqueue); 967 cp = buffer_ptr(&iqueue);
965 msg_len = GET_32BIT(cp); 968 msg_len = GET_32BIT(cp);
@@ -967,9 +970,10 @@ process(void)
967 error("bad message "); 970 error("bad message ");
968 exit(11); 971 exit(11);
969 } 972 }
970 if (buffer_len(&iqueue) < msg_len + 4) 973 if (buf_len < msg_len + 4)
971 return; 974 return;
972 buffer_consume(&iqueue, 4); 975 buffer_consume(&iqueue, 4);
976 buf_len -= 4;
973 type = buffer_get_char(&iqueue); 977 type = buffer_get_char(&iqueue);
974 switch (type) { 978 switch (type) {
975 case SSH2_FXP_INIT: 979 case SSH2_FXP_INIT:
@@ -1036,6 +1040,14 @@ process(void)
1036 error("Unknown message %d", type); 1040 error("Unknown message %d", type);
1037 break; 1041 break;
1038 } 1042 }
1043 /* discard the remaining bytes from the current packet */
1044 if (buf_len < buffer_len(&iqueue))
1045 fatal("iqueue grows");
1046 consumed = buf_len - buffer_len(&iqueue);
1047 if (msg_len < consumed)
1048 fatal("msg_len %d < consumed %d", msg_len, consumed);
1049 if (msg_len > consumed)
1050 buffer_consume(&iqueue, msg_len - consumed);
1039} 1051}
1040 1052
1041int 1053int