diff options
author | Matt Johnston <matt@ucc.asn.au> | 2013-05-08 23:23:14 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2013-05-08 23:23:14 +0800 |
commit | 6e2866a7b0db5d1dbd32b272545a554c043eff84 (patch) | |
tree | b2512865e77d05f6395c91d7b4219ba094832a29 /packet.c | |
parent | ad8ea1168f125b7ad7455c8b5151ec78bebbac63 (diff) | |
download | dropbear-6e2866a7b0db5d1dbd32b272545a554c043eff84.tar.gz |
Limit decompressed size
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional * static int checkmac(); #define ZLIB_COMPRESS_INCR 100 -#define ZLIB_DECOMPRESS_INCR 100 +#define ZLIB_DECOMPRESS_INCR 1024 #ifndef DISABLE_ZLIB static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); @@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) { } if (zstream->avail_out == 0) { - buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR); + int new_size = 0; + if (ret->size >= RECV_MAX_PAYLOAD_LEN) { + dropbear_exit("bad packet, oversized decompressed"); + } + new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR); + buf_resize(ret, new_size); } } } |