[Bug 2396] New: Out of bounds read when parsing EscapeChar configuration value
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat May 9 20:23:58 AEST 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2396
Bug ID: 2396
Summary: Out of bounds read when parsing EscapeChar
configuration value
Product: Portable OpenSSH
Version: 6.8p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jaak+mindrot at ristioja.ee
An out of bounds memory read occurs during parsing the value for
EscapeChar in the following if-statement in readconf.c:1239:
if (arg[0] == '^' && arg[2] == 0 &&
(u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
This is erroneous because arg[2] might be one character off the end of
the string. I suggest the first two branches be rewritten as follows:
if (arg[1] == 0) // was "else if (strlen(arg) == 1)"
value = (u_char) arg[0];
else if (arg[0] == '^' && arg[2] == 0 &&
(u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
value = (u_char) arg[1] & 31;
This ensures that all single-character values are handled correctly and
arg[2] refers to accessible memory.
PS: As an unrelated comment I wish to mention that running ssh through
valgrind's memcheck seems to yield lots of results.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list