aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ssh/agent/server.go3
-rw-r--r--ssh/agent/server_test.go7
2 files changed, 10 insertions, 0 deletions
diff --git a/ssh/agent/server.go b/ssh/agent/server.go
index 88ce4da..4e8ff86 100644
--- a/ssh/agent/server.go
+++ b/ssh/agent/server.go
@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
for len(constraints) != 0 {
switch constraints[0] {
case agentConstrainLifetime:
+ if len(constraints) < 5 {
+ return 0, false, nil, io.ErrUnexpectedEOF
+ }
lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
constraints = constraints[5:]
case agentConstrainConfirm:
diff --git a/ssh/agent/server_test.go b/ssh/agent/server_test.go
index 7700d18..6309e2d 100644
--- a/ssh/agent/server_test.go
+++ b/ssh/agent/server_test.go
@@ -8,6 +8,7 @@ import (
"crypto"
"crypto/rand"
"fmt"
+ "io"
pseudorand "math/rand"
"reflect"
"strings"
@@ -258,6 +259,12 @@ func TestParseConstraints(t *testing.T) {
t.Errorf("got extension %v, want %v", extensions, expect)
}
+ // Test Malformed Constraint
+ _, _, _, err = parseConstraints([]byte{1})
+ if err != io.ErrUnexpectedEOF {
+ t.Errorf("got %v, want %v", err, io.ErrUnexpectedEOF)
+ }
+
// Test Unknown Constraint
_, _, _, err = parseConstraints([]byte{128})
if err == nil || !strings.Contains(err.Error(), "unknown constraint") {
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 04:16:29 +0000