Limit memory allocation of get_bytes to 1MB

mimecuvalo · mimecuvalo · commit a06091a0475e · 2013-11-24T00:35:45.000Z
If get_bytes() can pad unlimited, a RSA pub key could be crafted that would allocate GB's of nulls, thereby forming a DoS-vector. paramiko/paramiko@3bbcf80
diff --git a/message.js b/message.js
@@ -73,7 +73,8 @@ paramikojs.Message.prototype = {
   get_bytes : function(n) {
     var b = this.packet.substring(this.position, this.position + n);
     this.position += n;
-    if (b.length < n) {
+    var max_pad_size = 1 << 20;  // Limit padding to 1 MB
+    if (b.length < n && n < max_pad_size) {
       return b + new Array(n - b.length + 1).join('\x00');
     }
     return b;
