merge

author: Matt Johnston <matt@ucc.asn.au> 2013-05-26 18:43:00 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2013-05-26 18:43:00 +0800
commit: e355f69401f2be48e8c77281332da514d58b3c7f (patch)
tree: b74d8e880639b2350ea82deee71eeff358cb2f3a /packet.c
parent: c2b1327debff9416d5e46d8b93a529e179edf85a (diff)
parent: a57947c513a53e77de0b2eaa67ca6404f444a29f (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/packet.c b/packet.c
index 09f0600..d458ccf 100644
--- a/packet.c
+++ b/packet.c
@@ -42,7 +42,7 @@ static void make_mac(unsigned int seqno, const struct key_context_directional *
 static int checkmac();
 
 #define ZLIB_COMPRESS_INCR 100
-#define ZLIB_DECOMPRESS_INCR 100
+#define ZLIB_DECOMPRESS_INCR 1024
 #ifndef DISABLE_ZLIB
 static buffer* buf_decompress(buffer* buf, unsigned int len);
 static void buf_compress(buffer * dest, buffer * src, unsigned int len);
@@ -420,7 +420,12 @@ static buffer* buf_decompress(buffer* buf, unsigned int len) {
 		}
 
 		if (zstream->avail_out == 0) {
-			buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR);
+			int new_size = 0;
+			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
+				dropbear_exit("bad packet, oversized decompressed");
+			}
+			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
+			buf_resize(ret, new_size);
 		}
 	}
 }
author	Matt Johnston <matt@ucc.asn.au>	2013-05-26 18:43:00 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2013-05-26 18:43:00 +0800
commit	e355f69401f2be48e8c77281332da514d58b3c7f (patch)
tree	b74d8e880639b2350ea82deee71eeff358cb2f3a /packet.c
parent	c2b1327debff9416d5e46d8b93a529e179edf85a (diff)
parent	a57947c513a53e77de0b2eaa67ca6404f444a29f (diff)