Subject: Re: [libssh2] All Your Mem Belongs to Us

Re: [libssh2] All Your Mem Belongs to Us

From: James Housley <jim_at_thehousleys.net>
Date: Fri, 10 Nov 2006 08:04:39 -0500

On Nov 10, 2006, at 5:45 AM, Daniel Stenberg wrote:

> On Fri, 10 Nov 2006, Daniel Stenberg wrote:
>
>> 2. What about some sensibility-checks to avoid allocating over-the-
>> top
>> amounts? It seems like a dead-easy way to screw up clients if
>> you are an
>> evil server.
>
> Yeps, a clear deviance from what the RFC tells us. Here's a little
> patch that
> makes libssh2 abort my "abuse" nice and clean.
>
> --- packet.c~ 2006-06-22 20:31:55.000000000 +0200
> +++ packet.c 2006-11-10 11:42:46.000000000 +0100
> @@ -886,6 +886,19 @@
> return -1;
> }
> packet_length = libssh2_ntohu32(buf);
> +
> + /* RFC4253 section 6.1 Maximum Packet Length says:
> +
> + "All implementations MUST be able to process
> packets with
> + uncompressed payload length of 32768 bytes or
> less and
> + total packet size of 35000 bytes or less
> (including length,
> + padding length, payload, padding, and MAC.)."
> +
> + */
> + if(packet_length > 35000) {
> + return -1;
> + }
> +
> padding_length = buf[4];
> #ifdef LIBSSH2_DEBUG_TRANSPORT
> _libssh2_debug(session, LIBSSH2_DBG_TRANS, "Processing plaintext
> packet %lu bytes long (with %lu bytes padding)", packet_length,
> padding_length);

Looking at the code it seems the same should be applied between lines
767/768, do you agree?

Jim

--
/"\   ASCII Ribbon Campaign  .
\ / - NO HTML/RTF in e-mail  .
  X  - NO Word docs in e-mail .
/ \ -----------------------------------------------------------------
jeh@FreeBSD.org      http://www.FreeBSD.org     The Power to Serve
jim@TheHousleys.Net  http://www.TheHousleys.net
---------------------------------------------------------------------
The wise man built his network upon Un*x.
     The foolish man built his network upon Windows.
Received on 2006-11-10