From b2f6c7223d6aa9b1c43423c8ed5c7170c920e9e4 Mon Sep 17 00:00:00 2001
From: Christian Kandeler <christian.kandeler@nokia.com>
Date: Fri, 15 Jun 2012 14:01:51 +0200
Subject: [PATCH] SSH: Replace assertion by exception.

We used Q_ASSERT to verify packet validity even for incoming packets,
which means a malicious host could crash QtCreator by sending invalid
data.

Change-Id: Ie2b674d40273d987d91387f41748fbe085c63ed8
Reviewed-by: hjk <qthjk@ovi.com>
---
 src/libs/ssh/sshincomingpacket.cpp | 3 +++
 src/libs/ssh/sshpacket.cpp         | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libs/ssh/sshincomingpacket.cpp b/src/libs/ssh/sshincomingpacket.cpp
index 22db3074041..00db58ea380 100644
--- a/src/libs/ssh/sshincomingpacket.cpp
+++ b/src/libs/ssh/sshincomingpacket.cpp
@@ -90,6 +90,9 @@ void SshIncomingPacket::consumeData(QByteArray &newData)
             return;
     }
 
+    if (4 + length() + macLength() < currentDataSize())
+        throw SSH_SERVER_EXCEPTION(SSH_DISCONNECT_PROTOCOL_ERROR, "Server sent invalid packet.");
+
     const int bytesToTake
         = qMin<quint32>(length() + 4 + macLength() - currentDataSize(),
               newData.size());
diff --git a/src/libs/ssh/sshpacket.cpp b/src/libs/ssh/sshpacket.cpp
index 3e6e4085870..52a532dc1f3 100644
--- a/src/libs/ssh/sshpacket.cpp
+++ b/src/libs/ssh/sshpacket.cpp
@@ -70,7 +70,6 @@ bool AbstractSshPacket::isComplete() const
 {
     if (currentDataSize() < minPacketSize())
         return false;
-    Q_ASSERT(4 + length() + macLength() >= currentDataSize());
     return 4 + length() + macLength() == currentDataSize();
 }