dropbear

changeset 791:0bf76f54de6f

Limit decompressed size
author Matt Johnston <matt@ucc.asn.au>
date Wed, 08 May 2013 23:23:14 +0800
parents 7bd88d546627
children 239ede24d54f
files packet.c
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line diff
     1.1 --- a/packet.c	Mon Apr 29 23:42:37 2013 +0800
     1.2 +++ b/packet.c	Wed May 08 23:23:14 2013 +0800
     1.3 @@ -42,7 +42,7 @@
     1.4  static int checkmac();
     1.5  
     1.6  #define ZLIB_COMPRESS_INCR 100
     1.7 -#define ZLIB_DECOMPRESS_INCR 100
     1.8 +#define ZLIB_DECOMPRESS_INCR 1024
     1.9  #ifndef DISABLE_ZLIB
    1.10  static buffer* buf_decompress(buffer* buf, unsigned int len);
    1.11  static void buf_compress(buffer * dest, buffer * src, unsigned int len);
    1.12 @@ -420,7 +420,12 @@
    1.13  		}
    1.14  
    1.15  		if (zstream->avail_out == 0) {
    1.16 -			buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
    1.17 +			int new_size = 0;
    1.18 +			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
    1.19 +				dropbear_exit("bad packet, oversized decompressed");
    1.20 +			}
    1.21 +			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
    1.22 +			buf_resize(ret, new_size);
    1.23  		}
    1.24  	}
    1.25  }