From 1b2cc402448da230af90ade6331f4712f73df6b0 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 30 Jan 2017 19:42:25 +0000
Subject: [PATCH] Refuse to forward agent messages > AGENT_MAX_MSGLEN.

Mostly so that we don't have to malloc contiguous space for them
inside PuTTY; since we've already got a handy constant saying how big
is too big, we might as well use it to sanity-check the contents of
our agent forwarding channels.
---
 ssh.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/ssh.c b/ssh.c
index a214aa1f..931d8686 100644
--- a/ssh.c
+++ b/ssh.c
@@ -10,6 +10,7 @@
 #include <signal.h>
 
 #include "putty.h"
+#include "pageant.h" /* for AGENT_MAX_MSGLEN */
 #include "tree234.h"
 #include "storage.h"
 #include "ssh.h"
@@ -3857,6 +3858,8 @@ static void ssh_agentf_got_response(struct ssh_channel *c,
 {
     c->u.a.pending = NULL;
 
+    assert(!(c->closes & CLOSES_SENT_EOF));
+
     if (!reply) {
 	/* The real agent didn't send any kind of reply at all for
          * some reason, so fake an SSH_AGENT_FAILURE. */
@@ -3897,6 +3900,15 @@ static void ssh_agentf_try_forward(struct ssh_channel *c)
         (c->ssh->version == 2 && c->v.v2.remwindow == 0))
         return;
 
+    if (c->closes & CLOSES_SENT_EOF) {
+        /*
+         * If we've already sent outgoing EOF, there's nothing we can
+         * do with incoming data except consume it and throw it away.
+         */
+        bufchain_clear(&c->u.a.inbuffer);
+        return;
+    }
+
     while (1) {
         /*
          * Try to extract a complete message from the input buffer.
@@ -3907,6 +3919,21 @@ static void ssh_agentf_try_forward(struct ssh_channel *c)
 
         bufchain_fetch(&c->u.a.inbuffer, msglen, 4);
         lengthfield = GET_32BIT(msglen);
+
+        if (lengthfield > AGENT_MAX_MSGLEN) {
+            /*
+             * If the remote has sent a message that's just _too_
+             * long, we should reject it in advance of seeing the rest
+             * of the incoming message, and also close the connection
+             * for good measure (which avoids us having to faff about
+             * with carefully ignoring just the right number of bytes
+             * from the overlong message).
+             */
+            ssh_agentf_got_response(c, NULL, 0);
+            sshfwd_write_eof(c);
+            return;
+        }
+
         if (lengthfield > datalen - 4)
             break;          /* a whole message is not yet available */
 
-- 
2.45.1