Security improvement: check that string length field in

SSH_SMSG_{STDOUT,STDERR}_DATA packets is consistent with length
field in packet header. (Helps prevent insertion attack.)

[originally from svn r496]

diff --git a/ssh.c b/ssh.c
index 295d0e68ba3989f9c454ea96ad66ca6d3defd240..ea2ae3c7b3cff80b1bf7b25f7f05999b49e325ba 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -665,7 +665,11 @@ static void ssh_protocol(unsigned char *in, int inlen, int ispkt) {
                long len = 0;
                for (i = 0; i < 4; i++)
                    len = (len << 8) + pktin.body[i];
-               c_write(pktin.body+4, len);
+               if (len+4 != pktin.length) {
+                   logevent("Received data packet with bogus string length"
+                            ", ignoring");
+               } else
+                   c_write(pktin.body+4, len);
            } else if (pktin.type == SSH_MSG_DISCONNECT) {
                 ssh_state = SSH_STATE_CLOSED;
                logevent("Received disconnect request");