tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: add defence-in-depth checks for some unreachable integer 

overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@

OpenBSD-Commit-ID: 52af085f4e7ef9f9d8423d8c1840a6a88bda90bd
This commit is contained in:
djm@openbsd.org 2023-07-14 05:31:44 +00:00 committed by Damien Miller
parent 4b43bc358a
commit 2ee48adb9f
No known key found for this signature in database
4 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.99 2023/03/29 00:18:35 djm Exp $ */ /* $OpenBSD: auth-options.c,v 1.100 2023/07/14 05:31:44 djm Exp $ */
/* /*
* Copyright (c) 2018 Damien Miller <djm@mindrot.org> * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
* *
@ -48,10 +48,11 @@ dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
*dstp = NULL; *dstp = NULL;
*ndstp = 0; *ndstp = 0;
if (nsrc == 0) if (nsrc == 0)
return 0; return 0;
if (nsrc >= SIZE_MAX / sizeof(*src) ||
if ((dst = calloc(nsrc, sizeof(*src))) == NULL) (dst = calloc(nsrc, sizeof(*src))) == NULL)
return -1; return -1;
for (i = 0; i < nsrc; i++) { for (i = 0; i < nsrc; i++) {
if ((dst[i] = strdup(src[i])) == NULL) { if ((dst[i] = strdup(src[i])) == NULL) {

7
misc.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.181 2023/03/03 02:37:58 dtucker Exp $ */ /* $OpenBSD: misc.c,v 1.182 2023/07/14 05:31:44 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@ -926,8 +926,11 @@ urldecode(const char *src)
{ {
char *ret, *dst; char *ret, *dst;
int ch; int ch;
size_t srclen;
ret = xmalloc(strlen(src) + 1); if ((srclen = strlen(src)) >= SIZE_MAX)
fatal_f("input too large");
ret = xmalloc(srclen + 1);
for (dst = ret; *src != '\0'; src++) { for (dst = ret; *src != '\0'; src++) {
switch (*src) { switch (*src) {
case '+': case '+':

9
scp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: scp.c,v 1.256 2023/03/31 05:56:36 dtucker Exp $ */ /* $OpenBSD: scp.c,v 1.257 2023/07/14 05:31:44 djm Exp $ */
/* /*
* scp - secure remote copy. This is basically patched BSD rcp which * scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd). * uses ssh to do the data transfer (instead of using rcmd).
@ -838,8 +838,13 @@ emit_expansion(const char *pattern, int brace_start, int brace_end,
int sel_start, int sel_end, char ***patternsp, size_t *npatternsp) int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
{ {
char *cp; char *cp;
int o = 0, tail_len = strlen(pattern + brace_end + 1); size_t pattern_len;
int o = 0, tail_len;
if ((pattern_len = strlen(pattern)) == 0 || pattern_len >= INT_MAX)
return -1;
tail_len = strlen(pattern + brace_end + 1);
if ((cp = malloc(brace_start + (sel_end - sel_start) + if ((cp = malloc(brace_start + (sel_end - sel_start) +
tail_len + 1)) == NULL) tail_len + 1)) == NULL)
return -1; return -1;

9
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.468 2023/06/20 00:05:09 djm Exp $ */ /* $OpenBSD: ssh-keygen.c,v 1.469 2023/07/14 05:31:44 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2246,7 +2246,8 @@ hash_to_blob(const char *cp, u_char **blobp, size_t *lenp,
* OpenSSH base64 hashes omit trailing '=' * OpenSSH base64 hashes omit trailing '='
* characters; put them back for decode. * characters; put them back for decode.
*/ */
tlen = strlen(cp); if ((tlen = strlen(cp)) >= SIZE_MAX - 5)
fatal_f("hash too long: %zu bytes", tlen);
tmp = xmalloc(tlen + 4 + 1); tmp = xmalloc(tlen + 4 + 1);
strlcpy(tmp, cp, tlen + 1); strlcpy(tmp, cp, tlen + 1);
while ((tlen % 4) != 0) { while ((tlen % 4) != 0) {
@ -2288,6 +2289,10 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
if (!quiet) if (!quiet)
printf("Revoking from %s\n", path); printf("Revoking from %s\n", path);
while (getline(&line, &linesize, krl_spec) != -1) { while (getline(&line, &linesize, krl_spec) != -1) {
if (linesize >= INT_MAX) {
fatal_f("%s contains unparsable line, len=%zu",
path, linesize);
}
lnum++; lnum++;
was_explicit_key = was_sha1 = was_sha256 = was_hash = 0; was_explicit_key = was_sha1 = was_sha256 = was_hash = 0;
cp = line + strspn(line, " \t"); cp = line + strspn(line, " \t");