Mercurial > dropbear
comparison packet.c @ 990:e3614649b1f5
Integrity error (bad packet size %u) negative length
When corrupted packet is received negative length of packet is
displayed.
(re-apply of pull request #8)
| author | Fedor Brunner <fedor.brunner@azet.sk> |
|---|---|
| date | Fri, 23 Jan 2015 22:21:06 +0800 |
| parents | c4f138dae2fd |
| children | aac0095dc3b4 |
comparison
equal
deleted
inserted
replaced
| 988:6c0fb5428aaa | 990:e3614649b1f5 |
|---|---|
| 281 &ses.keys->recv.cipher_state) != CRYPT_OK) { | 281 &ses.keys->recv.cipher_state) != CRYPT_OK) { |
| 282 dropbear_exit("Error decrypting"); | 282 dropbear_exit("Error decrypting"); |
| 283 } | 283 } |
| 284 len = buf_getint(ses.readbuf) + 4 + macsize; | 284 len = buf_getint(ses.readbuf) + 4 + macsize; |
| 285 | 285 |
| 286 TRACE2(("packet size is %d, block %d mac %d", len, blocksize, macsize)) | 286 TRACE2(("packet size is %u, block %u mac %u", len, blocksize, macsize)) |
| 287 | 287 |
| 288 | 288 |
| 289 /* check packet length */ | 289 /* check packet length */ |
| 290 if ((len > RECV_MAX_PACKET_LEN) || | 290 if ((len > RECV_MAX_PACKET_LEN) || |
| 291 (len < MIN_PACKET_LEN + macsize) || | 291 (len < MIN_PACKET_LEN + macsize) || |
| 292 ((len - macsize) % blocksize != 0)) { | 292 ((len - macsize) % blocksize != 0)) { |
| 293 dropbear_exit("Integrity error (bad packet size %d)", len); | 293 dropbear_exit("Integrity error (bad packet size %u)", len); |
| 294 } | 294 } |
| 295 | 295 |
| 296 if (len > ses.readbuf->size) { | 296 if (len > ses.readbuf->size) { |
| 297 buf_resize(ses.readbuf, len); | 297 buf_resize(ses.readbuf, len); |
| 298 } | 298 } |
| 340 | 340 |
| 341 /* payload length */ | 341 /* payload length */ |
| 342 /* - 4 - 1 is for LEN and PADLEN values */ | 342 /* - 4 - 1 is for LEN and PADLEN values */ |
| 343 len = ses.readbuf->len - padlen - 4 - 1 - macsize; | 343 len = ses.readbuf->len - padlen - 4 - 1 - macsize; |
| 344 if ((len > RECV_MAX_PAYLOAD_LEN+ZLIB_COMPRESS_EXPANSION) || (len < 1)) { | 344 if ((len > RECV_MAX_PAYLOAD_LEN+ZLIB_COMPRESS_EXPANSION) || (len < 1)) { |
| 345 dropbear_exit("Bad packet size %d", len); | 345 dropbear_exit("Bad packet size %u", len); |
| 346 } | 346 } |
| 347 | 347 |
| 348 buf_setpos(ses.readbuf, PACKET_PAYLOAD_OFF); | 348 buf_setpos(ses.readbuf, PACKET_PAYLOAD_OFF); |
| 349 | 349 |
| 350 #ifndef DISABLE_ZLIB | 350 #ifndef DISABLE_ZLIB |