[Bug 2396] New: Out of bounds read when parsing EscapeChar configuration value

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat May 9 20:23:58 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2396

            Bug ID: 2396
           Summary: Out of bounds read when parsing EscapeChar
                    configuration value
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jaak+mindrot at ristioja.ee

An out of bounds memory read occurs during parsing the value for
EscapeChar in the following if-statement in readconf.c:1239:

  if (arg[0] == '^' && arg[2] == 0 &&
      (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)

This is erroneous because arg[2] might be one character off the end of
the string. I suggest the first two branches be rewritten as follows:

  if (arg[1] == 0) // was "else if (strlen(arg) == 1)"
      value = (u_char) arg[0];
  else if (arg[0] == '^' && arg[2] == 0 &&
      (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
      value = (u_char) arg[1] & 31;

This ensures that all single-character values are handled correctly and
arg[2] refers to accessible memory.



PS: As an unrelated comment I wish to mention that running ssh through
valgrind's memcheck seems to yield lots of results.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list