Hi,
Using the latest daily snapshot of libssh2, I have a problem downloading
files using libssh2_scp_recv(). When reading the data using
libssh2_channel_read(), I consistently fail to pass the new check in
transport.c, line 434, which was introduced to fix bug 2814613:
p->packet_length exceeds PACKETBUFSIZE (16384) and the function
_libssh2_transport_read() returns failure.
Shouldn't the check at line 455 (see below) take care of illegally large
values for p->packet_length?
>From transport.c, function _libssh2_transport_read():
/* we now have the initial blocksize bytes decrypted,
* and we can extract packet and padding length from it
*/
p->packet_length = _libssh2_ntohu32(block);
/* line 434 */ if ((p->packet_length < 1) || (p->packet_length >
PACKETBUFSIZE))
return PACKET_FAIL;
p->padding_length = block[4];
if (p->padding_length < 0)
return PACKET_FAIL;
/* total_num is the number of bytes following the initial
(5 bytes) packet length and padding length fields */
p->total_num =
p->packet_length - 1 +
(encrypted ? session->remote.mac->mac_len : 0);
/* RFC4253 section 6.1 Maximum Packet Length says:
*
* "All implementations MUST be able to process
* packets with uncompressed payload length of 32768
* bytes or less and total packet size of 35000 bytes
* or less (including length, padding length, payload,
* padding, and MAC.)."
*/
/* line 455 */ if (p->total_num > LIBSSH2_PACKET_MAXPAYLOAD) {
return PACKET_TOOBIG;
}
Cheers,
Paul Veldkamp
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2009-07-27