From 997c082c3b334d425db3df153015d0ce5ad344ad Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Thu, 7 Nov 2002 18:44:04 +0000
Subject: [PATCH] Robustness fixes for KEXINIT handling.

[originally from svn r2197]
---
 ssh.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/ssh.c b/ssh.c
index 3e8396fd..d8db1b25 100644
--- a/ssh.c
+++ b/ssh.c
@@ -23,7 +23,7 @@
 void logeventf(char *fmt, ...)
 {
     va_list ap;
-    char stuff[200];
+    char stuff[512];
 
     va_start(ap, fmt);
     vsprintf(stuff, fmt, ap);
@@ -1559,11 +1559,15 @@ static int ssh2_pkt_getbool(void)
 }
 static void ssh2_pkt_getstring(char **p, int *length)
 {
+    int len;
     *p = NULL;
     *length = 0;
     if (pktin.length - pktin.savedpos < 4)
 	return;
-    *length = GET_32BIT(pktin.data + pktin.savedpos);
+    len = GET_32BIT(pktin.data + pktin.savedpos);
+    if (len < 0)
+	return;
+    *length = len;
     pktin.savedpos += 4;
     if (pktin.length - pktin.savedpos < *length)
 	return;
@@ -3517,7 +3521,10 @@ static void ssh1_protocol(unsigned char *in, int inlen, int ispkt)
  */
 static int in_commasep_string(char *needle, char *haystack, int haylen)
 {
-    int needlen = strlen(needle);
+    int needlen;
+    if (!needle || !haystack)
+	return 0;		       /* protect against null pointers */
+    needlen = strlen(needle);
     while (1) {
 	/*
 	 * Is it at the start of the string?
@@ -3745,7 +3752,8 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
 
     if (!ispkt)
 	crWaitUntil(ispkt);
-    sha_string(&exhash, pktin.data + 5, pktin.length - 5);
+    if (pktin.length > 5)
+	sha_string(&exhash, pktin.data + 5, pktin.length - 5);
 
     /*
      * Now examine the other side's KEXINIT to see what we're up
@@ -3802,7 +3810,8 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
 	}
     }
     if (!cscipher_tobe) {
-	bombout(("Couldn't agree a client-to-server cipher (available: %s)", str));
+	bombout(("Couldn't agree a client-to-server cipher (available: %.450s)",
+		 str));
 	crReturn(0);
     }
 
@@ -3827,7 +3836,8 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
 	}
     }
     if (!sccipher_tobe) {
-	bombout(("Couldn't agree a server-to-client cipher (available: %s)", str));
+	bombout(("Couldn't agree a server-to-client cipher (available: %.450s)",
+		 str));
 	crReturn(0);
     }
 
-- 
2.45.2