From b8ac85a0673d06606c6523e4bb8f46e1034d0638 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 7 Dec 2015 18:38:54 +0100
Subject: ssh: fix error for bad packet lengths found by Defensics

---
 lib/ssh/src/ssh_connection_handler.erl | 20 ++++++++++++++++++--
 lib/ssh/src/ssh_transport.erl          |  5 +----
 2 files changed, 19 insertions(+), 6 deletions(-)

(limited to 'lib')

diff --git a/lib/ssh/src/ssh_connection_handler.erl b/lib/ssh/src/ssh_connection_handler.erl
index 516a09bf6a..0eaeba26a9 100644
--- a/lib/ssh/src/ssh_connection_handler.erl
+++ b/lib/ssh/src/ssh_connection_handler.erl
@@ -999,7 +999,8 @@ handle_info({Protocol, Socket, Data}, StateName,
 		   encoded_data_buffer = EncData0,
 		   undecoded_packet_length = RemainingSshPacketLen0} = State0) ->
     Encoded = <<EncData0/binary, Data/binary>>,
-    case ssh_transport:handle_packet_part(DecData0, Encoded, RemainingSshPacketLen0, Ssh0) of
+    try ssh_transport:handle_packet_part(DecData0, Encoded, RemainingSshPacketLen0, Ssh0) 
+    of
 	{get_more, DecBytes, EncDataRest, RemainingSshPacketLen, Ssh1} ->
 	    {next_state, StateName,
 	     next_packet(State0#state{encoded_data_buffer = EncDataRest,
@@ -1021,7 +1022,22 @@ handle_info({Protocol, Socket, Data}, StateName,
 		    #ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
 					description = "Bad mac",
 					language = ""},
-	    handle_disconnect(DisconnectMsg, State0#state{ssh_params=Ssh1})
+	    handle_disconnect(DisconnectMsg, State0#state{ssh_params=Ssh1});
+
+	{error, {exceeds_max_size,PacketLen}} ->
+	    DisconnectMsg = 
+		#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
+				    description = "Bad packet length " 
+				    ++ integer_to_list(PacketLen),
+				    language = ""},
+	    handle_disconnect(DisconnectMsg, State0)
+    catch
+	_:_ ->
+	    DisconnectMsg = 
+		#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
+				    description = "Bad packet",
+				    language = ""},
+	    handle_disconnect(DisconnectMsg, State0)
     end;
 		
 handle_info({CloseTag, _Socket}, _StateName, 
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index 67a0d29bb8..18037b8461 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -1004,10 +1004,7 @@ handle_packet_part(<<>>, Encrypted0, undefined, #ssh{decrypt = CryptoAlg} = Ssh0
 
 	{ok, PacketLen, _, _, _} when PacketLen > ?SSH_MAX_PACKET_SIZE ->
 	    %% far too long message than expected
-	    throw(#ssh_msg_disconnect{code = ?SSH_DISCONNECT_PROTOCOL_ERROR,
-				      description = "Bad packet length " 
-				      ++ integer_to_list(PacketLen),
-				      language = ""});
+	    {error, {exceeds_max_size,PacketLen}};
 	
 	{ok, PacketLen, Decrypted, Encrypted1,
 	 #ssh{recv_mac_size = MacSize} = Ssh1} ->
-- 
cgit v1.2.3