From 8df35cc3683bf86c432acf1fd25d056c19cc8a63 Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@php.net>
Date: Tue, 28 May 2019 08:47:34 -0500
Subject: [PATCH] SFTP: improve handling of malformed packets

---
 phpseclib/Net/SFTP.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/phpseclib/Net/SFTP.php b/phpseclib/Net/SFTP.php
index 03262aa1..a6216285 100644
--- a/phpseclib/Net/SFTP.php
+++ b/phpseclib/Net/SFTP.php
@@ -3049,7 +3049,9 @@ class Net_SFTP extends Net_SSH2
             return $temp;
         }
 
-        $this->curTimeout = false;
+        // in SSH2.php the timeout is cumulative per function call. eg. exec() will
+        // timeout after 10s. but for SFTP.php it's cumulative per packet
+        $this->curTimeout = $this->timeout;
 
         $start = strtok(microtime(), ' ') + strtok(''); // http://php.net/microtime#61838
 
@@ -3070,6 +3072,13 @@ class Net_SFTP extends Net_SSH2
         $tempLength = $length;
         $tempLength-= strlen($this->packet_buffer);
 
+
+        // 256 * 1024 is what SFTP_MAX_MSG_LENGTH is set to in OpenSSH's sftp-common.h
+        if ($tempLength > 256 * 1024) {
+            user_error('Invalid SFTP packet size');
+            return false;
+        }
+
         // SFTP packet type and data payload
         while ($tempLength > 0) {
             $temp = $this->_get_channel_packet(NET_SFTP_CHANNEL, true);