From 37eb1bc59dcb07076dee03fef52eba8720fd8962 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 24 May 2018 13:07:32 -0700
Subject: [PATCH] Fuzz Test Fixes 1. Add a maximum packet size value and verify
 the read packet size.

---
 src/internal.c     | 3 +++
 wolfssh/internal.h | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 65f335c..06d7518 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4392,6 +4392,9 @@ int DoReceive(WOLFSSH* ssh)
                 /* Peek at the packet_length field. */
                 ato32(ssh->inputBuffer.buffer + ssh->inputBuffer.idx,
                       &ssh->curSz);
+                if (ssh->curSz > MAX_PACKET_SZ - (word32)peerMacSz - LENGTH_SZ)
+                    return WS_OVERFLOW_E;
+
                 ssh->processReplyState = PROCESS_PACKET_FINISH;
                 FALL_THROUGH;
 
diff --git a/wolfssh/internal.h b/wolfssh/internal.h
index cd4fbb6..7a806d7 100644
--- a/wolfssh/internal.h
+++ b/wolfssh/internal.h
@@ -130,6 +130,10 @@ enum {
 #ifndef DEFAULT_NEXT_CHANNEL
     #define DEFAULT_NEXT_CHANNEL 0
 #endif
+#ifndef MAX_PACKET_SZ
+    /* This is from RFC 4253 section 6.1. */
+    #define MAX_PACKET_SZ 35000
+#endif
 
 
 WOLFSSH_LOCAL byte NameToId(const char*, word32);