disconnect for invalid (out of range) message types.

2 files changed, 9 insertions, 2 deletions

diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c
index 8ed67c162ab..f0539eae013 100644
--- a/usr.bin/ssh/packet.c
+++ b/usr.bin/ssh/packet.c
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.115 2004/06/21 17:36:31 avsm Exp $");
+RCSID("$OpenBSD: packet.c,v 1.116 2004/10/20 11:48:53 markus Exp $");
 
 #include <sys/queue.h>
 
@@ -976,6 +976,8 @@ packet_read_poll1(void)
 		    buffer_len(&compression_buffer));
 	}
 	type = buffer_get_char(&incoming_packet);
+	if (type < SSH_MSG_MIN || type > SSH_MSG_MAX)
+		packet_disconnect("Invalid ssh1 packet type: %d", type);
 	return type;
 }
 
@@ -1088,6 +1090,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
 	 * return length of payload (without type field)
 	 */
 	type = buffer_get_char(&incoming_packet);
+	if (type < SSH2_MSG_MIN || type >= SSH2_MSG_LOCAL_MIN)
+		packet_disconnect("Invalid ssh2 packet type: %d", type);
 	if (type == SSH2_MSG_NEWKEYS)
 		set_newkeys(MODE_IN);
 #ifdef PACKET_DEBUG
diff --git a/usr.bin/ssh/ssh1.h b/usr.bin/ssh/ssh1.h
index cc7fbc8b006..1741c229a09 100644
--- a/usr.bin/ssh/ssh1.h
+++ b/usr.bin/ssh/ssh1.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssh1.h,v 1.4 2004/07/11 17:48:47 deraadt Exp $	*/
+/*	$OpenBSD: ssh1.h,v 1.5 2004/10/20 11:48:53 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -18,6 +18,9 @@
  * for compatibility.  The maximum value is 254; value 255 is reserved for
  * future extension.
  */
+/* Ranges */
+#define SSH_MSG_MIN				1
+#define SSH_MSG_MAX				254
 /* Message name */			/* msg code */	/* arguments */
 #define SSH_MSG_NONE				0	/* no message */
 #define SSH_MSG_DISCONNECT			1	/* cause (string) */