From 49263b5314e59de654d7b01f513b1cd95b1b9ec9 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 8 May 2013 23:23:14 +0800
Subject: [PATCH] Limit decompressed size

---
 packet.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packet.c b/packet.c
index 09f0600c..d458ccf7 100644
--- a/packet.c
+++ b/packet.c
@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
 static int checkmac();
 
 #define ZLIB_COMPRESS_INCR 100
-#define ZLIB_DECOMPRESS_INCR 100
+#define ZLIB_DECOMPRESS_INCR 1024
 #ifndef DISABLE_ZLIB
 static buffer* buf_decompress(buffer* buf, unsigned int len);
 static void buf_compress(buffer * dest, buffer * src, unsigned int len);
@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
 		}
 
 		if (zstream->avail_out == 0) {
-			buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
+			int new_size = 0;
+			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
+				dropbear_exit("bad packet, oversized decompressed");
+			}
+			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
+			buf_resize(ret, new_size);
 		}
 	}
 }
-- 
GitLab