Subject: Re: [libssh2] All Your Mem Belongs to Us

Re: [libssh2] All Your Mem Belongs to Us

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 10 Nov 2006 11:45:47 +0100 (CET)

On Fri, 10 Nov 2006, Daniel Stenberg wrote:

> 2. What about some sensibility-checks to avoid allocating over-the-top
> amounts? It seems like a dead-easy way to screw up clients if you are an
> evil server.

Yeps, a clear deviance from what the RFC tells us. Here's a little patch that
makes libssh2 abort my "abuse" nice and clean.

--- packet.c~ 2006-06-22 20:31:55.000000000 +0200
+++ packet.c 2006-11-10 11:42:46.000000000 +0100
@@ -886,6 +886,19 @@
                          return -1;
                  }
                  packet_length = libssh2_ntohu32(buf);
+
+ /* RFC4253 section 6.1 Maximum Packet Length says:
+
+ "All implementations MUST be able to process packets with
+ uncompressed payload length of 32768 bytes or less and
+ total packet size of 35000 bytes or less (including length,
+ padding length, payload, padding, and MAC.)."
+
+ */
+ if(packet_length > 35000) {
+ return -1;
+ }
+
                  padding_length = buf[4];
  #ifdef LIBSSH2_DEBUG_TRANSPORT
          _libssh2_debug(session, LIBSSH2_DBG_TRANS, "Processing plaintext
packet %lu bytes long (with %lu bytes padding)", packet_length,
padding_length);

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
libssh2-devel mailing list
libssh2-devel_at_lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
Received on 2006-11-10