x/crypto/ssh: fix bounds check in parseString

Fixes #11348

Change-Id: If083744343256a2a53eb813411ba0c9a359d6dbd
Reviewed-on: https://go-review.googlesource.com/11332
Reviewed-by: Adam Langley <agl@golang.org>

ssh/messages.go

@@ -484,11 +484,12 @@ func parseString(in []byte) (out, rest []byte, ok bool) {
 		return
 	}
 	length := binary.BigEndian.Uint32(in)
-	if uint32(len(in)) < 4+length {
+	in = in[4:]
+	if uint32(len(in)) < length {
 		return
 	}
-	out = in[4 : 4+length]
-	rest = in[4+length:]
+	out = in[:length]
+	rest = in[length:]
 	ok = true
 	return
 }

ssh/messages_test.go

@@ -162,6 +162,16 @@ func TestBareMarshal(t *testing.T) {
 	}
 }
 
+func TestUnmarshalShortKexInitPacket(t *testing.T) {
+	// This used to panic.
+	// Issue 11348
+	packet := []byte{0x14, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0xff, 0xff, 0xff, 0xff}
+	kim := &kexInitMsg{}
+	if err := Unmarshal(packet, kim); err == nil {
+		t.Error("truncated packet unmarshaled without error")
+	}
+}
+
 func randomBytes(out []byte, rand *rand.Rand) {
 	for i := 0; i < len(out); i++ {
 		out[i] = byte(rand.Int31())