diff options
| author |   djm <djm@openbsd.org> | 2015-06-30 05:25:07 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2015-06-30 05:25:07 +0000 |
| commit | 4b9baadb6b7097189b74bc64d93074a00eab1acb (patch) | |
| tree | eadf247fc9c4825316cff4dd024b084a0226a2f7 | |
| parent | Fix math error in remote window calculations that causes eventual stalls (diff) | |
| download | wireguard-openbsd-4b9baadb6b7097189b74bc64d93074a00eab1acb.tar.xz wireguard-openbsd-4b9baadb6b7097189b74bc64d93074a00eab1acb.zip | |
fatal() when a remote window update causes the window value to
overflow. Reported by Georg Wicherski, ok markus@
| -rw-r--r-- | usr.bin/ssh/channels.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 8ac41c55075..e8ece22afa0 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.345 2015/06/30 05:23:25 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.346 2015/06/30 05:25:07 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2614,7 +2614,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) { Channel *c; int id; - u_int adjust; + u_int adjust, tmp; if (!compat20) return 0; @@ -2630,7 +2630,10 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) adjust = packet_get_int(); packet_check_eom(); debug2("channel %d: rcvd adjust %u", id, adjust); - c->remote_window += adjust; + if ((tmp = c->remote_window + adjust) < c->remote_window) + fatal("channel %d: adjust %u overflows remote window %u", + id, adjust, c->remote_window); + c->remote_window = tmp; return 0; } |