libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

A remote, unauthenticated attacker can send a crafted SSH handshake or protocol message where the `packet_length` field (the first 4 bytes of the packet) is set to a value larger than `LIBSSH2_PACKET_MAXPAYLOAD`. The vulnerable `ssh2_transport_read()` function trusts this value without an upper-bound check, leading to a heap buffer overflow. This can corrupt adjacent heap metadata and potentially achieve remote code execution. The precondition is only that the attacker can establish an SSH connection to a service using libssh2.

The vulnerability resides in `ssh2_transport_read()` in `src/transport.c`. The function reads a `packet_length` field from the network but previously only checked that it was not less than 1; no upper-bound check existed, allowing an attacker to supply an arbitrarily large value that would cause an out-of-bounds write into heap memory.

The patch adds an `else if` branch in `ssh2_transport_read()` that returns `LIBSSH2_ERROR_OUT_OF_BOUNDARY` when `p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD`. This rejects any packet whose declared length exceeds the maximum allowed payload size, preventing the subsequent code from using the attacker-controlled large value in a memory copy or allocation that would overflow the heap buffer.