Skip to content
Snippets Groups Projects
Commit 49263b53 authored by Matt Johnston's avatar Matt Johnston
Browse files

Limit decompressed size

parent 57166b40
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 7 additions and 2 deletions
packet.c
+ 7
2
View file @ 49263b53
...@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional * ...@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
static int checkmac(); static int checkmac();
#define ZLIB_COMPRESS_INCR 100 #define ZLIB_COMPRESS_INCR 100
#define ZLIB_DECOMPRESS_INCR 100 #define ZLIB_DECOMPRESS_INCR 1024
#ifndef DISABLE_ZLIB #ifndef DISABLE_ZLIB
static buffer* buf_decompress(buffer* buf, unsigned int len); static buffer* buf_decompress(buffer* buf, unsigned int len);
static void buf_compress(buffer * dest, buffer * src, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len);
...@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) { ...@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
} }
if (zstream->avail_out == 0) { if (zstream->avail_out == 0) {
buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR); int new_size = 0;
if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
dropbear_exit("bad packet, oversized decompressed");
}
new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
buf_resize(ret, new_size);
} }
} }
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment