aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/ssh.c
diff options
context:
space:
mode:
authorPhilippe Antoine <contact@catenacyber.fr>2020-04-02 16:35:10 +0200
committerPhilippe Antoine <contact@catenacyber.fr>2020-04-02 16:35:10 +0200
commit3bbb0cd3296023f6f922c71d21a1c374d2b0a435 (patch)
treee75bde1bc6467a30df65ce3235b08a4b429cd8c4 /src/lib/protocols/ssh.c
parent56ca71bda9870e78ba0ee70fe226c4a4fcc36a04 (diff)
ssh: adds systematic bounds checks in concat_hash_string
cf GHSL-2020-052
Diffstat (limited to 'src/lib/protocols/ssh.c')
-rw-r--r--src/lib/protocols/ssh.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 853fbb24b..292433e55 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -110,10 +110,14 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
buf[buf_out_len++] = ';';
offset += len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.server_host_key_algorithms [None] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
offset += 4 + len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.encryption_algorithms_client_to_server [C] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -130,6 +134,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
} else
offset += 4 + len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.encryption_algorithms_server_to_client [S] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -146,6 +152,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
} else
offset += 4 + len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.mac_algorithms_client_to_server [C] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -162,6 +170,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
} else
offset += 4 + len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.mac_algorithms_server_to_client [S] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
@@ -195,6 +205,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
} else
offset += 4 + len;
+ if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
+ goto invalid_payload;
/* ssh.compression_algorithms_server_to_client [S] */
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
Powered by cgit, Themed by Ted Yin.