# HG changeset patch # User Matt Johnston # Date 1368026594 -28800 # Node ID 0bf76f54de6fc6dda70985a51ee7b25922e6fea4 # Parent 7bd88d546627ff31d0e2d91e6022b3e77a943efb Limit decompressed size diff -r 7bd88d546627 -r 0bf76f54de6f packet.c --- a/packet.c Mon Apr 29 23:42:37 2013 +0800 +++ b/packet.c Wed May 08 23:23:14 2013 +0800 @@ -42,7 +42,7 @@ static int checkmac(); #define ZLIB_COMPRESS_INCR 100 -#define ZLIB_DECOMPRESS_INCR 100 +#define ZLIB_DECOMPRESS_INCR 1024 #ifndef DISABLE_ZLIB static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); @@ -420,7 +420,12 @@ } if (zstream->avail_out == 0) { - buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR); + int new_size = 0; + if (ret->size >= RECV_MAX_PAYLOAD_LEN) { + dropbear_exit("bad packet, oversized decompressed"); + } + new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR); + buf_resize(ret, new_size); } } }