upstream: add defence-in-depth checks for some unreachable integer
overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@ OpenBSD-Commit-ID: 52af085f4e7ef9f9d8423d8c1840a6a88bda90bd
This commit is contained in:
parent
4b43bc358a
commit
2ee48adb9f
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: auth-options.c,v 1.99 2023/03/29 00:18:35 djm Exp $ */
|
||||
/* $OpenBSD: auth-options.c,v 1.100 2023/07/14 05:31:44 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
||||
*
|
||||
|
@ -48,10 +48,11 @@ dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
|
|||
|
||||
*dstp = NULL;
|
||||
*ndstp = 0;
|
||||
|
||||
if (nsrc == 0)
|
||||
return 0;
|
||||
|
||||
if ((dst = calloc(nsrc, sizeof(*src))) == NULL)
|
||||
if (nsrc >= SIZE_MAX / sizeof(*src) ||
|
||||
(dst = calloc(nsrc, sizeof(*src))) == NULL)
|
||||
return -1;
|
||||
for (i = 0; i < nsrc; i++) {
|
||||
if ((dst[i] = strdup(src[i])) == NULL) {
|
||||
|
|
7
misc.c
7
misc.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: misc.c,v 1.181 2023/03/03 02:37:58 dtucker Exp $ */
|
||||
/* $OpenBSD: misc.c,v 1.182 2023/07/14 05:31:44 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
|
||||
|
@ -926,8 +926,11 @@ urldecode(const char *src)
|
|||
{
|
||||
char *ret, *dst;
|
||||
int ch;
|
||||
size_t srclen;
|
||||
|
||||
ret = xmalloc(strlen(src) + 1);
|
||||
if ((srclen = strlen(src)) >= SIZE_MAX)
|
||||
fatal_f("input too large");
|
||||
ret = xmalloc(srclen + 1);
|
||||
for (dst = ret; *src != '\0'; src++) {
|
||||
switch (*src) {
|
||||
case '+':
|
||||
|
|
9
scp.c
9
scp.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: scp.c,v 1.256 2023/03/31 05:56:36 dtucker Exp $ */
|
||||
/* $OpenBSD: scp.c,v 1.257 2023/07/14 05:31:44 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
|
@ -838,8 +838,13 @@ emit_expansion(const char *pattern, int brace_start, int brace_end,
|
|||
int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
|
||||
{
|
||||
char *cp;
|
||||
int o = 0, tail_len = strlen(pattern + brace_end + 1);
|
||||
size_t pattern_len;
|
||||
int o = 0, tail_len;
|
||||
|
||||
if ((pattern_len = strlen(pattern)) == 0 || pattern_len >= INT_MAX)
|
||||
return -1;
|
||||
|
||||
tail_len = strlen(pattern + brace_end + 1);
|
||||
if ((cp = malloc(brace_start + (sel_end - sel_start) +
|
||||
tail_len + 1)) == NULL)
|
||||
return -1;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-keygen.c,v 1.468 2023/06/20 00:05:09 djm Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.469 2023/07/14 05:31:44 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -2246,7 +2246,8 @@ hash_to_blob(const char *cp, u_char **blobp, size_t *lenp,
|
|||
* OpenSSH base64 hashes omit trailing '='
|
||||
* characters; put them back for decode.
|
||||
*/
|
||||
tlen = strlen(cp);
|
||||
if ((tlen = strlen(cp)) >= SIZE_MAX - 5)
|
||||
fatal_f("hash too long: %zu bytes", tlen);
|
||||
tmp = xmalloc(tlen + 4 + 1);
|
||||
strlcpy(tmp, cp, tlen + 1);
|
||||
while ((tlen % 4) != 0) {
|
||||
|
@ -2288,6 +2289,10 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
|
|||
if (!quiet)
|
||||
printf("Revoking from %s\n", path);
|
||||
while (getline(&line, &linesize, krl_spec) != -1) {
|
||||
if (linesize >= INT_MAX) {
|
||||
fatal_f("%s contains unparsable line, len=%zu",
|
||||
path, linesize);
|
||||
}
|
||||
lnum++;
|
||||
was_explicit_key = was_sha1 = was_sha256 = was_hash = 0;
|
||||
cp = line + strspn(line, " \t");
|
||||
|
|
Loading…
Reference in New Issue