scmno****@osdn*****
scmno****@osdn*****
2018年 1月 25日 (木) 21:21:59 JST
Revision: 7026 http://sourceforge.jp/projects/ttssh2/scm/svn/commits/7026 Author: doda Date: 2018-01-25 21:21:59 +0900 (Thu, 25 Jan 2018) Log Message: ----------- payloadの残りの長さのチェックを行うようにした @ handle_SSH2_dh_gex_group() Modified Paths: -------------- trunk/ttssh2/ttxssh/ssh.c -------------- next part -------------- Modified: trunk/ttssh2/ttxssh/ssh.c =================================================================== --- trunk/ttssh2/ttxssh/ssh.c 2018-01-25 12:21:55 UTC (rev 7025) +++ trunk/ttssh2/ttxssh/ssh.c 2018-01-25 12:21:59 UTC (rev 7026) @@ -5453,11 +5453,14 @@ notify_fatal_error(pvar, "error occurred @ SSH2_dh_gex_kex_init()", TRUE); } - -// SSH2_MSG_KEX_DH_GEX_GROUP +/* + * SSH2_MSG_KEX_DH_GEX_GROUP: + * byte SSH_MSG_KEX_DH_GEX_GROUP + * mpint p, safe prime + * mpint g, generator for subgroup in GF(p) + */ static BOOL handle_SSH2_dh_gex_group(PTInstVar pvar) { - char *data; int len, grp_bits; BIGNUM *p = NULL, *g = NULL; DH *dh = NULL; @@ -5467,18 +5470,15 @@ logputs(LOG_LEVEL_VERBOSE, "SSH2_MSG_KEX_DH_GEX_GROUP was received."); - // 6byte\x81i\x83T\x83C\x83Y\x81{\x83p\x83f\x83B\x83\x93\x83O\x81{\x83^\x83C\x83v\x81j\x82\xF0\x8E\xE6\x82菜\x82\xA2\x82\xBD\x88ȍ~\x82̃y\x83C\x83\x8D\x81[\x83h - data = pvar->ssh_state.payload; - // \x83p\x83P\x83b\x83g\x83T\x83C\x83Y - (\x83p\x83f\x83B\x83\x93\x83O\x83T\x83C\x83Y+1)\x81G\x90^\x82̃p\x83P\x83b\x83g\x83T\x83C\x83Y - len = pvar->ssh_state.payloadlen; - p = BN_new(); g = BN_new(); if (p == NULL || g == NULL) goto error; - buffer_get_bignum2(&data, p); // \x91f\x90\x94\x82̎擾 - buffer_get_bignum2(&data, g); // \x90\xB6\x90\xAC\x8C\xB3\x82̎擾 + if (!get_mpint_from_payload(pvar, p) || !get_mpint_from_payload(pvar, g)) { + notify_fatal_error(pvar, __FUNCTION__ ":truncated packet (mpint)", FALSE); + return FALSE; + } grp_bits = BN_num_bits(p); logprintf(LOG_LEVEL_VERBOSE, "DH-GEX: Request: %d / %d / %d, Received: %d",