Skip to content

Commit a4fe703

Browse files
implausibleimplausible
authored
Merge pull request #1749 from implausible/patch/libssh2
Bring in libssh2#402
2 parents b22ae75 + fcdb122 commit a4fe703

File tree

1 file changed

+29
-39
lines changed

1 file changed

+29
-39
lines changed

vendor/libssh2/src/packet.c

Lines changed: 29 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
419419
size_t datalen, int macstate)
420420
{
421421
int rc = 0;
422-
char *message = NULL;
423-
char *language = NULL;
422+
unsigned char *message = NULL;
423+
unsigned char *language = NULL;
424424
size_t message_len = 0;
425425
size_t language_len = 0;
426426
LIBSSH2_CHANNEL *channelp = NULL;
@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
472472

473473
case SSH_MSG_DISCONNECT:
474474
if(datalen >= 5) {
475-
size_t reason = _libssh2_ntohu32(data + 1);
475+
uint32_t reason = 0;
476+
struct string_buf buf;
477+
buf.data = (unsigned char *)data;
478+
buf.dataptr = buf.data;
479+
buf.len = datalen;
480+
buf.dataptr++; /* advance past type */
476481

477-
if(datalen >= 9) {
478-
message_len = _libssh2_ntohu32(data + 5);
482+
_libssh2_get_u32(&buf, &reason);
483+
_libssh2_get_string(&buf, &message, &message_len);
484+
_libssh2_get_string(&buf, &language, &language_len);
479485

480-
if(message_len < datalen-13) {
481-
/* 9 = packet_type(1) + reason(4) + message_len(4) */
482-
message = (char *) data + 9;
483-
484-
language_len =
485-
_libssh2_ntohu32(data + 9 + message_len);
486-
language = (char *) data + 9 + message_len + 4;
487-
488-
if(language_len > (datalen-13-message_len)) {
489-
/* bad input, clear info */
490-
language = message = NULL;
491-
language_len = message_len = 0;
492-
}
493-
}
494-
else
495-
/* bad size, clear it */
496-
message_len = 0;
497-
}
498486
if(session->ssh_msg_disconnect) {
499-
LIBSSH2_DISCONNECT(session, reason, message,
500-
message_len, language, language_len);
487+
LIBSSH2_DISCONNECT(session, reason, (const char *)message,
488+
message_len, (const char *)language,
489+
language_len);
501490
}
491+
502492
_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
503493
"Disconnect(%d): %s(%s)", reason,
504494
message, language);
@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
539529
int always_display = data[1];
540530

541531
if(datalen >= 6) {
542-
message_len = _libssh2_ntohu32(data + 2);
543-
544-
if(message_len <= (datalen - 10)) {
545-
/* 6 = packet_type(1) + display(1) + message_len(4) */
546-
message = (char *) data + 6;
547-
language_len = _libssh2_ntohu32(data + 6 +
548-
message_len);
549-
550-
if(language_len <= (datalen - 10 - message_len))
551-
language = (char *) data + 10 + message_len;
552-
}
532+
struct string_buf buf;
533+
buf.data = (unsigned char *)data;
534+
buf.dataptr = buf.data;
535+
buf.len = datalen;
536+
buf.dataptr += 2; /* advance past type & always display */
537+
538+
_libssh2_get_string(&buf, &message, &message_len);
539+
_libssh2_get_string(&buf, &language, &language_len);
553540
}
554541

555542
if(session->ssh_msg_debug) {
556-
LIBSSH2_DEBUG(session, always_display, message,
557-
message_len, language, language_len);
543+
LIBSSH2_DEBUG(session, always_display,
544+
(const char *)message,
545+
message_len, (const char *)language,
546+
language_len);
558547
}
559548
}
549+
560550
/*
561551
* _libssh2_debug will actually truncate this for us so
562552
* that it's not an inordinate about of data
@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
579569
uint32_t len = 0;
580570
unsigned char want_reply = 0;
581571
len = _libssh2_ntohu32(data + 1);
582-
if(datalen >= (6 + len)) {
572+
if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
583573
want_reply = data[5 + len];
584574
_libssh2_debug(session,
585575
LIBSSH2_TRACE_CONN,

0 commit comments

Comments
 (0)