And I just realized that it was an earlier version of the patch which
subtracted from the write index, so ignore me :) I would like
feedback on the patch though.
-Lucas
On Feb 13, 2007, at 3:49 PM, Lucas Newman wrote:
> Here's a patch that addresses it. You may want to do it differently
> though, as subtracting from the write index is a little weird, but I
> couldn't see how else to do it since we need to determine padding
> length from the first block.
>
> -Lucas
>
> Index: transport.c
> ===================================================================
> RCS file: /cvsroot/libssh2/libssh2/src/transport.c,v
> retrieving revision 1.2
> diff -u -8 -p -r1.2 transport.c
> --- transport.c 2 Feb 2007 23:23:37 -0000 1.2
> +++ transport.c 13 Feb 2007 23:45:59 -0000
> @@ -432,16 +432,19 @@ libssh2pack_t libssh2_packet_read(LIBSSH
> }
> else {
> /* unencrypted data should not be decrypted
> at all */
> numdecrypt = 0;
> }
>
> /* if there are bytes to decrypt, do that */
> if(numdecrypt > 0) {
> + /* We can only decrypt a multiple of the
> blocksize */
> + numdecrypt -= (numdecrypt % session-
>> remote.crypt->blocksize);
> +
> /* now decrypt the lot */
> rc = decrypt(session, &p->buf[p->readidx],
> p->wptr, numdecrypt);
> if(rc != PACKET_NONE) {
> return rc;
> }
>
> /* advance the read pointer */
> @@ -451,18 +454,18 @@ libssh2pack_t libssh2_packet_read(LIBSSH
> /* increse data_num */
> p->data_num += numdecrypt;
>
> /* bytes left to take care of without
> decryption */
> numbytes -= numdecrypt;
> }
>
> /* if there are bytes to copy that aren't decrypted,
> simply
> - copy them as-is to the target buffer */
> - if(numbytes > 0) {
> + copy them as-is to the target buffer if
> necessary */
> + if(numbytes > 0 && (!encrypted || !(p->total_num -
> (p-
>> data_num + numbytes)))) {
> memcpy(p->wptr, &p->buf[p->readidx],
> numbytes);
>
> /* advance the read pointer */
> p->readidx += numbytes;
> /* advance write pointer */
> p->wptr += numbytes;
> /* increse data_num */
> p->data_num += numbytes;
>
>
>
> On Feb 13, 2007, at 2:52 PM, Daniel Stenberg wrote:
>
>> On Tue, 13 Feb 2007, Lucas Newman wrote:
>>
>>> This loop will process 1440 bytes of data that we passed in, and
>>> then 8 bytes are left in the buffer. However, we didn't outside of
>>> this function we assumed that all 1448 bytes were processed and
>>> copied into the decrypted packet buffer.
>>>
>>> Back at where decrypt was called, we increment the write pointer
>>> the entire 1448 bytes of numdecrypt, so now those 8 unprocessed
>>> bytes are effectively skipped.
>>
>> Thanks for being gentle with me, and now I clearly see your point.
>> I'll try to address this flaw within soon if you haven't.
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your
> job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> libssh2-devel mailing list
> libssh2-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/libssh2-devel
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
libssh2-devel mailing list
libssh2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
