diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-03-31 04:00:37 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-03-31 15:06:20 +1100 |
| commit | 4fb29eeafb40a2076c0dbe54e46b687c318f87aa (patch) | |
| tree | 3e4b5e42a7a37c2e1a3e60f85605cd5cf22aac1a | |
| parent | fc437c154ef724621a4af236de9bc7e51a8381ae (diff) | |
| download | openssh-git-4fb29eeafb40a2076c0dbe54e46b687c318f87aa.tar.gz | |
upstream: don't attempt to decode a ridiculous number of
attributes; harmless because of bounds elsewhere, but better to be explicit
OpenBSD-Commit-ID: 1a34f4b6896155b80327d15dc7ccf294b538a9f2
| -rw-r--r-- | sftp-common.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sftp-common.c b/sftp-common.c index 50f1bbaf..5d724982 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.c,v 1.33 2022/09/19 10:41:58 djm Exp $ */ +/* $OpenBSD: sftp-common.c,v 1.34 2023/03/31 04:00:37 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Damien Miller. All rights reserved. @@ -137,6 +137,8 @@ decode_attrib(struct sshbuf *b, Attrib *a) if ((r = sshbuf_get_u32(b, &count)) != 0) return r; + if (count > 0x100000) + return SSH_ERR_INVALID_FORMAT; for (i = 0; i < count; i++) { if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 || (r = sshbuf_get_string(b, &data, &dlen)) != 0) |