Skip to content

Commit 3bbb0cd

Browse files
committed
ssh: adds systematic bounds checks in concat_hash_string
cf GHSL-2020-052
1 parent 56ca71b commit 3bbb0cd

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

Diff for: src/lib/protocols/ssh.c

+12
Original file line numberDiff line numberDiff line change
@@ -110,10 +110,14 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
110110
buf[buf_out_len++] = ';';
111111
offset += len;
112112

113+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
114+
goto invalid_payload;
113115
/* ssh.server_host_key_algorithms [None] */
114116
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
115117
offset += 4 + len;
116118

119+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
120+
goto invalid_payload;
117121
/* ssh.encryption_algorithms_client_to_server [C] */
118122
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
119123

@@ -130,6 +134,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
130134
} else
131135
offset += 4 + len;
132136

137+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
138+
goto invalid_payload;
133139
/* ssh.encryption_algorithms_server_to_client [S] */
134140
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
135141

@@ -146,6 +152,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
146152
} else
147153
offset += 4 + len;
148154

155+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
156+
goto invalid_payload;
149157
/* ssh.mac_algorithms_client_to_server [C] */
150158
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
151159

@@ -162,6 +170,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
162170
} else
163171
offset += 4 + len;
164172

173+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
174+
goto invalid_payload;
165175
/* ssh.mac_algorithms_server_to_client [S] */
166176
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
167177

@@ -195,6 +205,8 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
195205
} else
196206
offset += 4 + len;
197207

208+
if(offset+sizeof(u_int32_t) >= packet->payload_packet_len)
209+
goto invalid_payload;
198210
/* ssh.compression_algorithms_server_to_client [S] */
199211
len = ntohl(*(u_int32_t*)&packet->payload[offset]);
200212

0 commit comments

Comments
 (0)