+ unsigned long i;
+
+ /*
+ * Sanity-check the number of names. Minimum is obviously
+ * zero. Maximum is the remaining space in the packet
+ * divided by the very minimum length of a name, which is
+ * 12 bytes (4 for an empty filename, 4 for an empty
+ * longname, 4 for a set of attribute flags indicating that
+ * no other attributes are supplied).
+ */
+ if (!sftp_pkt_getuint32(pktin, &i) ||
+ i > (pktin->length-pktin->savedpos)/12) {
+ fxp_internal_error("malformed FXP_NAME packet");
+ sftp_pkt_free(pktin);
+ return NULL;
+ }
+
+ /*
+ * Ensure the implicit multiplication in the snewn() call
+ * doesn't suffer integer overflow and cause us to malloc
+ * too little space.
+ */
+ if (i > INT_MAX / sizeof(struct fxp_name)) {
+ fxp_internal_error("unreasonably large FXP_NAME packet");
+ sftp_pkt_free(pktin);
+ return NULL;
+ }
+