]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fc437c1)
upstream: don't attempt to decode a ridiculous number of
authordjm@openbsd.org <djm@openbsd.org>
Fri, 31 Mar 2023 04:00:37 +0000 (04:00 +0000)
committerDamien Miller <djm@mindrot.org>
Fri, 31 Mar 2023 04:06:20 +0000 (15:06 +1100)
attributes; harmless because of bounds elsewhere, but better to be explicit

OpenBSD-Commit-ID: 1a34f4b6896155b80327d15dc7ccf294b538a9f2

sftp-common.c patch | blob | blame | history

diff --git a/sftp-common.c b/sftp-common.c
index 50f1bbafb4bc5a5de7de14554953ab30df8769b9..5d72498256e8adb72f113771e376d50a23625a9b 100644 (file)
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-common.c,v 1.33 2022/09/19 10:41:58 djm Exp $ */
+/* $OpenBSD: sftp-common.c,v 1.34 2023/03/31 04:00:37 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Damien Miller.  All rights reserved.
@@ -137,6 +137,8 @@ decode_attrib(struct sshbuf *b, Attrib *a)
 
                if ((r = sshbuf_get_u32(b, &count)) != 0)
                        return r;
+               if (count > 0x100000)
+                       return SSH_ERR_INVALID_FORMAT;
                for (i = 0; i < count; i++) {
                        if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||
                            (r = sshbuf_get_string(b, &data, &dlen)) != 0)
Mirror of https://github.com/openssh/openssh-portable.git