From f660ea3f64b86d11d19e33076012069f02431e55 Mon Sep 17 00:00:00 2001
From: Eugene <inbox@null.page>
Date: Wed, 14 Aug 2024 09:08:59 +0200
Subject: [PATCH 1/2] fixed GHSA-vgvv-x7xg-6cqg - OOM Denial of Service due to
 allocation of untrusted packet size

---
 russh/src/cipher/mod.rs | 9 ++++++++-
 russh/src/lib.rs        | 4 ++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/russh/src/cipher/mod.rs b/russh/src/cipher/mod.rs
index fbb627f..abeda3c 100644
--- a/russh/src/cipher/mod.rs
+++ b/russh/src/cipher/mod.rs
@@ -240,7 +240,13 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
             buffer.buffer.extend(&len);
             debug!("reading, seqn = {:?}", seqn);
             let len = cipher.decrypt_packet_length(seqn, &len);
-            buffer.len = BigEndian::read_u32(&len) as usize + cipher.tag_len();
+            let len = BigEndian::read_u32(&len) as usize;
+
+            if len > MAXIMUM_PACKET_LEN {
+                return Err(Error::PacketSize(len));
+            }
+
+            buffer.len = len + cipher.tag_len();
             debug!("reading, clear len = {:?}", buffer.len);
         }
     }
@@ -278,5 +284,6 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
 pub(crate) const PACKET_LENGTH_LEN: usize = 4;
 
 const MINIMUM_PACKET_LEN: usize = 16;
+const MAXIMUM_PACKET_LEN: usize = 256 * 1024;
 
 const PADDING_LENGTH_LEN: usize = 1;
diff --git a/russh/src/lib.rs b/russh/src/lib.rs
index 93ff1bd..accfaeb 100644
--- a/russh/src/lib.rs
+++ b/russh/src/lib.rs
@@ -221,6 +221,10 @@ pub enum Error {
     #[error("Wrong server signature")]
     WrongServerSig,
 
+    /// Excessive packet size.
+    #[error("Bad packet size: {0}")]
+    PacketSize(usize),
+
     /// Message received/sent on unopened channel.
     #[error("Channel not open")]
     WrongChannel,

From ba8bde99990bdeced9203b98efcfebf0c667460c Mon Sep 17 00:00:00 2001
From: Eugene <inbox@null.page>
Date: Wed, 14 Aug 2024 22:57:40 +0200
Subject: [PATCH 2/2] v0.44.1

---
 russh/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/russh/Cargo.toml b/russh/Cargo.toml
index c737b36..af08555 100644
--- a/russh/Cargo.toml
+++ b/russh/Cargo.toml
@@ -9,7 +9,7 @@ license = "Apache-2.0"
 name = "russh"
 readme = "../README.md"
 repository = "https://github.com/warp-tech/russh"
-version = "0.44.0"
+version = "0.44.1"
 rust-version = "1.65"
 
 [features]