upstream: don't attempt to decode a ridiculous number of

attributes; harmless because of bounds elsewhere, but better to be explicit OpenBSD-Commit-ID: 1a34f4b6896155b80327d15dc7ccf294b538a9f2
author: djm@openbsd.org <djm@openbsd.org> 2023-03-31 06:00:37 +0200
committer: Damien Miller <djm@mindrot.org> 2023-03-31 06:06:20 +0200
commit: 4fb29eeafb40a2076c0dbe54e46b687c318f87aa (patch)
tree: 3e4b5e42a7a37c2e1a3e60f85605cd5cf22aac1a /sftp-common.c
parent: upstream: remove unused variable; prompted by Coverity CID 291879 (diff)
download: openssh-4fb29eeafb40a2076c0dbe54e46b687c318f87aa.tar.xz
openssh-4fb29eeafb40a2076c0dbe54e46b687c318f87aa.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/sftp-common.c b/sftp-common.c
index 50f1bbafb..5d7249825 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-common.c,v 1.33 2022/09/19 10:41:58 djm Exp $ */
+/* $OpenBSD: sftp-common.c,v 1.34 2023/03/31 04:00:37 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Damien Miller.  All rights reserved.
@@ -137,6 +137,8 @@ decode_attrib(struct sshbuf *b, Attrib *a)
 
 		if ((r = sshbuf_get_u32(b, &count)) != 0)
 			return r;
+		if (count > 0x100000)
+			return SSH_ERR_INVALID_FORMAT;
 		for (i = 0; i < count; i++) {
 			if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||
 			    (r = sshbuf_get_string(b, &data, &dlen)) != 0)
author	djm@openbsd.org <djm@openbsd.org>	2023-03-31 06:00:37 +0200
committer	Damien Miller <djm@mindrot.org>	2023-03-31 06:06:20 +0200
commit	4fb29eeafb40a2076c0dbe54e46b687c318f87aa (patch)
tree	3e4b5e42a7a37c2e1a3e60f85605cd5cf22aac1a /sftp-common.c
parent	upstream: remove unused variable; prompted by Coverity CID 291879 (diff)
download	openssh-4fb29eeafb40a2076c0dbe54e46b687c318f87aa.tar.xz openssh-4fb29eeafb40a2076c0dbe54e46b687c318f87aa.zip