On Nov 10, 2006, at 5:45 AM, Daniel Stenberg wrote:
> On Fri, 10 Nov 2006, Daniel Stenberg wrote:
>
>> 2. What about some sensibility-checks to avoid allocating over-the-
>> top
>> amounts? It seems like a dead-easy way to screw up clients if
>> you are an
>> evil server.
>
> Yeps, a clear deviance from what the RFC tells us. Here's a little
> patch that
> makes libssh2 abort my "abuse" nice and clean.
>
> --- packet.c~ 2006-06-22 20:31:55.000000000 +0200
> +++ packet.c 2006-11-10 11:42:46.000000000 +0100
> @@ -886,6 +886,19 @@
> return -1;
> }
> packet_length = libssh2_ntohu32(buf);
> +
> + /* RFC4253 section 6.1 Maximum Packet Length says:
> +
> + "All implementations MUST be able to process
> packets with
> + uncompressed payload length of 32768 bytes or
> less and
> + total packet size of 35000 bytes or less
> (including length,
> + padding length, payload, padding, and MAC.)."
> +
> + */
> + if(packet_length > 35000) {
> + return -1;
> + }
> +
> padding_length = buf[4];
> #ifdef LIBSSH2_DEBUG_TRANSPORT
> _libssh2_debug(session, LIBSSH2_DBG_TRANS, "Processing plaintext
> packet %lu bytes long (with %lu bytes padding)", packet_length,
> padding_length);
Looking at the code it seems the same should be applied between lines
767/768, do you agree?
Jim
-- /"\ ASCII Ribbon Campaign . \ / - NO HTML/RTF in e-mail . X - NO Word docs in e-mail . / \ ----------------------------------------------------------------- jeh@FreeBSD.org http://www.FreeBSD.org The Power to Serve jim@TheHousleys.Net http://www.TheHousleys.net --------------------------------------------------------------------- The wise man built his network upon Un*x. The foolish man built his network upon Windows.Received on 2006-11-10