1 |
commit c98dcf4bdb1f4c2000ab6ef19173c35f04e0148b |
2 |
Author: Michael Buckley <michael@panic.com> |
3 |
Date: Tue Dec 4 13:10:41 2018 -0800 |
4 |
|
5 |
Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. |
6 |
|
7 |
diff --git a/src/sftp.c b/src/sftp.c |
8 |
index 7c44116..65cef85 100644 |
9 |
--- a/src/sftp.c |
10 |
+++ b/src/sftp.c |
11 |
@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp) |
12 |
return _libssh2_error(session, |
13 |
LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED, |
14 |
"SFTP packet too large"); |
15 |
+ if (sftp->partial_len == 0) |
16 |
+ return _libssh2_error(session, |
17 |
+ LIBSSH2_ERROR_ALLOC, |
18 |
+ "Unable to allocate empty SFTP packet"); |
19 |
|
20 |
_libssh2_debug(session, LIBSSH2_TRACE_SFTP, |
21 |
"Data begin - Packet Length: %lu", |