Limit decompressed size

author: Matt Johnston <matt@ucc.asn.au> 2013-05-08 23:23:14 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2013-05-08 23:23:14 +0800
commit: 6e2866a7b0db5d1dbd32b272545a554c043eff84 (patch)
tree: b2512865e77d05f6395c91d7b4219ba094832a29 /packet.c
parent: ad8ea1168f125b7ad7455c8b5151ec78bebbac63 (diff)
download: dropbear-6e2866a7b0db5d1dbd32b272545a554c043eff84.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/packet.c b/packet.c
index 09f0600..d458ccf 100644
--- a/packet.c
+++ b/packet.c
@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
 static int checkmac();
 
 #define ZLIB_COMPRESS_INCR 100
-#define ZLIB_DECOMPRESS_INCR 100
+#define ZLIB_DECOMPRESS_INCR 1024
 #ifndef DISABLE_ZLIB
 static buffer* buf_decompress(buffer* buf, unsigned int len);
 static void buf_compress(buffer * dest, buffer * src, unsigned int len);
@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
 		}
 
 		if (zstream->avail_out == 0) {
-			buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
+			int new_size = 0;
+			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
+				dropbear_exit("bad packet, oversized decompressed");
+			}
+			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
+			buf_resize(ret, new_size);
 		}
 	}
 }
author	Matt Johnston <matt@ucc.asn.au>	2013-05-08 23:23:14 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2013-05-08 23:23:14 +0800
commit	6e2866a7b0db5d1dbd32b272545a554c043eff84 (patch)
tree	b2512865e77d05f6395c91d7b4219ba094832a29 /packet.c
parent	ad8ea1168f125b7ad7455c8b5151ec78bebbac63 (diff)
download	dropbear-6e2866a7b0db5d1dbd32b272545a554c043eff84.tar.gz