[Bug 3269] New: sshbuf_get_u32() called with enum type argument in monitor.c
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Mar 4 04:45:47 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3269
Bug ID: 3269
Summary: sshbuf_get_u32() called with enum type argument in
monitor.c
Product: Portable OpenSSH
Version: 8.4p1
Hardware: Other
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: goetze at dovetail.com
sshbuf_get_u32() as declared in sshbuf.h takes a u_int_t* as the
argument to set:
int sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp);
However, in monitor.c mm_answer_keyallowed() an enum type is passed
(from the 8.4p1 code base):
line 1156: enum mm_keytype type = 0;
line 1161: if ((r = sshbuf_get_u32(m, &type)) != 0 ||
This usage is not safe for implementations that size enum types based
on the smallest type that will fit the set of enum values. My reading
of the C99 standard says that this "size only to fit" approach is an
option left to the implementation (from 6.7.2.2 Enumeration
specifiers):
"Each enumerated type shall be compatible with char, a signed integer
type, or an unsigned integer type. The choice of type is
implementation-defined,110) but shall be capable of representing the
values of all the members of the enumeration."
We are working with a compiler that implements this behavior, and it
does issue a warning about line 1161 above.
If the warning is ignored, the wrong value is in fact set in the enum
type.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list