Commit c1bc2ff
fix: bound extended-count pre-allocation in unmarshalFileStat
The SSH_FILEXFER_ATTRS decoder allocated the extended-attribute slice
directly from the wire-supplied extended_count.
This is reachable server-side post-authentication via Request.Attributes()
and the SETSTAT/FSETSTAT/OPEN paths, and client-side from a malicious
server via Stat/Lstat/Fstat/Open/ReadDir attribute parsing.
Bound the pre-allocation to the number of entries that can fit in the
remaining bytes (each entry is two length-prefixed strings, i.e. at least
8 bytes) and grow the slice with append.
Co-authored-by: Michael Bommarito <michael.bommarito@gmail.com>1 parent fe6029a commit c1bc2ff
2 files changed
Lines changed: 32 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
225 | 225 | | |
226 | 226 | | |
227 | 227 | | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
228 | 234 | | |
229 | 235 | | |
230 | 236 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
34 | 60 | | |
35 | 61 | | |
36 | 62 | | |
| |||
0 commit comments