Commit 49263b53 authored by Matt Johnston's avatar Matt Johnston
Browse files

Limit decompressed size

parent 57166b40
......@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
static int checkmac();
#define ZLIB_COMPRESS_INCR 100
#define ZLIB_DECOMPRESS_INCR 100
#define ZLIB_DECOMPRESS_INCR 1024
#ifndef DISABLE_ZLIB
static buffer* buf_decompress(buffer* buf, unsigned int len);
static void buf_compress(buffer * dest, buffer * src, unsigned int len);
......@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
}
if (zstream->avail_out == 0) {
buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
int new_size = 0;
if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
dropbear_exit("bad packet, oversized decompressed");
}
new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
buf_resize(ret, new_size);
}
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment