Skip to content
Snippets Groups Projects
Commit 49263b53 authored by Matt Johnston's avatar Matt Johnston
Browse files

Limit decompressed size

parent 57166b40
No related merge requests found
...@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional * ...@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
static int checkmac(); static int checkmac();
#define ZLIB_COMPRESS_INCR 100 #define ZLIB_COMPRESS_INCR 100
#define ZLIB_DECOMPRESS_INCR 100 #define ZLIB_DECOMPRESS_INCR 1024
#ifndef DISABLE_ZLIB #ifndef DISABLE_ZLIB
static buffer* buf_decompress(buffer* buf, unsigned int len); static buffer* buf_decompress(buffer* buf, unsigned int len);
static void buf_compress(buffer * dest, buffer * src, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len);
...@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) { ...@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
} }
if (zstream->avail_out == 0) { if (zstream->avail_out == 0) {
buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR); int new_size = 0;
if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
dropbear_exit("bad packet, oversized decompressed");
}
new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
buf_resize(ret, new_size);
} }
} }
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment