From 8df35cc3683bf86c432acf1fd25d056c19cc8a63 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Tue, 28 May 2019 08:47:34 -0500 Subject: [PATCH] SFTP: improve handling of malformed packets --- phpseclib/Net/SFTP.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/phpseclib/Net/SFTP.php b/phpseclib/Net/SFTP.php index 03262aa1..a6216285 100644 --- a/phpseclib/Net/SFTP.php +++ b/phpseclib/Net/SFTP.php @@ -3049,7 +3049,9 @@ class Net_SFTP extends Net_SSH2 return $temp; } - $this->curTimeout = false; + // in SSH2.php the timeout is cumulative per function call. eg. exec() will + // timeout after 10s. but for SFTP.php it's cumulative per packet + $this->curTimeout = $this->timeout; $start = strtok(microtime(), ' ') + strtok(''); // http://php.net/microtime#61838 @@ -3070,6 +3072,13 @@ class Net_SFTP extends Net_SSH2 $tempLength = $length; $tempLength-= strlen($this->packet_buffer); + + // 256 * 1024 is what SFTP_MAX_MSG_LENGTH is set to in OpenSSH's sftp-common.h + if ($tempLength > 256 * 1024) { + user_error('Invalid SFTP packet size'); + return false; + } + // SFTP packet type and data payload while ($tempLength > 0) { $temp = $this->_get_channel_packet(NET_SFTP_CHANNEL, true);