[Ttssh2-commit] [7026] payloadの残りの長さのチェックを行うようにした @ handle_SSH2_dh_gex_group ()

scmno****@osdn***** scmno****@osdn*****
2018年 1月 25日 (木) 21:21:59 JST


Revision: 7026
          http://sourceforge.jp/projects/ttssh2/scm/svn/commits/7026
Author:   doda
Date:     2018-01-25 21:21:59 +0900 (Thu, 25 Jan 2018)
Log Message:
-----------
payloadの残りの長さのチェックを行うようにした @ handle_SSH2_dh_gex_group()

Modified Paths:
--------------
    trunk/ttssh2/ttxssh/ssh.c

-------------- next part --------------
Modified: trunk/ttssh2/ttxssh/ssh.c
===================================================================
--- trunk/ttssh2/ttxssh/ssh.c	2018-01-25 12:21:55 UTC (rev 7025)
+++ trunk/ttssh2/ttxssh/ssh.c	2018-01-25 12:21:59 UTC (rev 7026)
@@ -5453,11 +5453,14 @@
 	notify_fatal_error(pvar, "error occurred @ SSH2_dh_gex_kex_init()", TRUE);
 }
 
-
-// SSH2_MSG_KEX_DH_GEX_GROUP
+/*
+ * SSH2_MSG_KEX_DH_GEX_GROUP:
+ *   byte    SSH_MSG_KEX_DH_GEX_GROUP
+ *   mpint   p, safe prime
+ *   mpint   g, generator for subgroup in GF(p)
+ */
 static BOOL handle_SSH2_dh_gex_group(PTInstVar pvar)
 {
-	char *data;
 	int len, grp_bits;
 	BIGNUM *p = NULL, *g = NULL;
 	DH *dh = NULL;
@@ -5467,18 +5470,15 @@
 
 	logputs(LOG_LEVEL_VERBOSE, "SSH2_MSG_KEX_DH_GEX_GROUP was received.");
 
-	// 6byte\x81i\x83T\x83C\x83Y\x81{\x83p\x83f\x83B\x83\x93\x83O\x81{\x83^\x83C\x83v\x81j\x82\xF0\x8E\xE6\x82菜\x82\xA2\x82\xBD\x88ȍ~\x82̃y\x83C\x83\x8D\x81[\x83h
-	data = pvar->ssh_state.payload;
-	// \x83p\x83P\x83b\x83g\x83T\x83C\x83Y - (\x83p\x83f\x83B\x83\x93\x83O\x83T\x83C\x83Y+1)\x81G\x90^\x82̃p\x83P\x83b\x83g\x83T\x83C\x83Y
-	len = pvar->ssh_state.payloadlen;
-
 	p = BN_new();
 	g = BN_new();
 	if (p == NULL || g == NULL)
 		goto error;
 
-	buffer_get_bignum2(&data, p); // \x91f\x90\x94\x82̎擾
-	buffer_get_bignum2(&data, g); // \x90\xB6\x90\xAC\x8C\xB3\x82̎擾
+	if (!get_mpint_from_payload(pvar, p) || !get_mpint_from_payload(pvar, g)) {
+		notify_fatal_error(pvar, __FUNCTION__ ":truncated packet (mpint)", FALSE);
+		return FALSE;
+	}
 
 	grp_bits = BN_num_bits(p);
 	logprintf(LOG_LEVEL_VERBOSE, "DH-GEX: Request: %d / %d / %d, Received: %d",



Ttssh2-commit メーリングリストの案内