upstream commit

check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn

Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f
This commit is contained in:
djm@openbsd.org 2017-01-03 05:46:51 +00:00 committed by Damien Miller
parent ddd3d34e5c
commit c7995f296b

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */
/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@ -587,6 +587,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
if ((r = sshbuf_get_u32(msg, &count)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (count > SSHBUF_SIZE_MAX)
fatal("%s: nonsensical number of entries", __func__);
if (count == 0)
break;
debug3("Received %d SSH2_FXP_NAME responses", count);