Here's a patch that addresses it. You may want to do it differently
though, as subtracting from the write index is a little weird, but I
couldn't see how else to do it since we need to determine padding
length from the first block.
-Lucas
Index: transport.c
===================================================================
RCS file: /cvsroot/libssh2/libssh2/src/transport.c,v
retrieving revision 1.2
diff -u -8 -p -r1.2 transport.c
--- transport.c 2 Feb 2007 23:23:37 -0000 1.2
+++ transport.c 13 Feb 2007 23:45:59 -0000
@@ -432,16 +432,19 @@ libssh2pack_t libssh2_packet_read(LIBSSH
}
else {
/* unencrypted data should not be decrypted
at all */
numdecrypt = 0;
}
/* if there are bytes to decrypt, do that */
if(numdecrypt > 0) {
+ /* We can only decrypt a multiple of the
blocksize */
+ numdecrypt -= (numdecrypt % session-
>remote.crypt->blocksize);
+
/* now decrypt the lot */
rc = decrypt(session, &p->buf[p->readidx],
p->wptr, numdecrypt);
if(rc != PACKET_NONE) {
return rc;
}
/* advance the read pointer */
@@ -451,18 +454,18 @@ libssh2pack_t libssh2_packet_read(LIBSSH
/* increse data_num */
p->data_num += numdecrypt;
/* bytes left to take care of without
decryption */
numbytes -= numdecrypt;
}
/* if there are bytes to copy that aren't decrypted,
simply
- copy them as-is to the target buffer */
- if(numbytes > 0) {
+ copy them as-is to the target buffer if necessary */
+ if(numbytes > 0 && (!encrypted || !(p->total_num - (p-
>data_num + numbytes)))) {
memcpy(p->wptr, &p->buf[p->readidx],
numbytes);
/* advance the read pointer */
p->readidx += numbytes;
/* advance write pointer */
p->wptr += numbytes;
/* increse data_num */
p->data_num += numbytes;
On Feb 13, 2007, at 2:52 PM, Daniel Stenberg wrote:
> On Tue, 13 Feb 2007, Lucas Newman wrote:
>
>> This loop will process 1440 bytes of data that we passed in, and
>> then 8 bytes are left in the buffer. However, we didn't outside of
>> this function we assumed that all 1448 bytes were processed and
>> copied into the decrypted packet buffer.
>>
>> Back at where decrypt was called, we increment the write pointer
>> the entire 1448 bytes of numdecrypt, so now those 8 unprocessed
>> bytes are effectively skipped.
>
> Thanks for being gentle with me, and now I clearly see your point.
> I'll try to address this flaw within soon if you haven't.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
libssh2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
