diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-06-30 05:25:07 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-06-30 16:12:20 +1000 |
| commit | 629df770dbadc2accfbe1c81b3f31f876d0acd84 (patch) | |
| tree | e56dd5ecd155755b92b4a45610057c1a9c6edd51 | |
| parent | f715afebe735d61df3fd30ad72d9ac1c8bd3b5f2 (diff) | |
upstream commit
fatal() when a remote window update causes the window
value to overflow. Reported by Georg Wicherski, ok markus@
Upstream-ID: ead397a9aceb3bf74ebfa5fcaf259d72e569f351
| -rw-r--r-- | channels.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.345 2015/06/30 05:23:25 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.346 2015/06/30 05:25:07 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2641,7 +2641,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) { Channel *c; int id; - u_int adjust; + u_int adjust, tmp; if (!compat20) return 0; @@ -2657,7 +2657,10 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) adjust = packet_get_int(); packet_check_eom(); debug2("channel %d: rcvd adjust %u", id, adjust); - c->remote_window += adjust; + if ((tmp = c->remote_window + adjust) < c->remote_window) + fatal("channel %d: adjust %u overflows remote window %u", + id, adjust, c->remote_window); + c->remote_window = tmp; return 0; } |