From c948030d54911b2d3cddb96a7a8e9269e15d11cd Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 13 Jun 2017 12:13:59 +0000 Subject: [PATCH] upstream commit Do not require that unknown EXT_INFO extension values not contain \0 characters. This would cause fatal connection errors if an implementation sent e.g. string-encoded sub-values inside a value. Reported by Denis Bider; ok markus@ Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c --- kex.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/kex.c b/kex.c index cf44fbc04..d5d5a9dae 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.133 2017/05/30 14:23:52 markus Exp $ */ +/* $OpenBSD: kex.c,v 1.134 2017/06/13 12:13:59 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -378,7 +378,9 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) { struct kex *kex = ssh->kex; u_int32_t i, ninfo; - char *name, *val, *found; + char *name, *found; + u_char *val; + size_t vlen; int r; debug("SSH2_MSG_EXT_INFO received"); @@ -388,12 +390,17 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) for (i = 0; i < ninfo; i++) { if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) return r; - if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { + if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { free(name); return r; } - debug("%s: %s=<%s>", __func__, name, val); if (strcmp(name, "server-sig-algs") == 0) { + /* Ensure no \0 lurking in value */ + if (memchr(val, '\0', vlen) != NULL) { + error("%s: nul byte in %s", __func__, name); + return SSH_ERR_INVALID_FORMAT; + } + debug("%s: %s=<%s>", __func__, name, val); found = match_list("rsa-sha2-256", val, NULL); if (found) { kex->rsa_sha2 = 256; @@ -404,7 +411,8 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) kex->rsa_sha2 = 512; free(found); } - } + } else + debug("%s: %s (unrecognised)", __func__, name); free(name); free(val); }