[Bug 3269] New: sshbuf_get_u32() called with enum type argument in monitor.c

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 4 04:45:47 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3269

            Bug ID: 3269
           Summary: sshbuf_get_u32() called with enum type argument in
                    monitor.c
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: goetze at dovetail.com

sshbuf_get_u32() as declared in sshbuf.h takes a u_int_t* as the
argument to set:

int sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp);

However, in monitor.c mm_answer_keyallowed() an enum type is passed
(from the 8.4p1 code base):

line 1156: enum mm_keytype type = 0;
line 1161: if ((r = sshbuf_get_u32(m, &type)) != 0 ||

This usage is not safe for implementations that size enum types based
on the smallest type that will fit the set of enum values.  My reading
of the C99 standard says that this "size only to fit" approach is an
option left to the implementation (from 6.7.2.2 Enumeration
specifiers):

"Each enumerated type shall be compatible with char, a signed integer
type, or an unsigned integer type. The choice of type is
implementation-defined,110) but shall be capable of representing the
values of all the members of the enumeration."

We are working with a compiler that implements this behavior, and it
does issue a warning about line 1161 above.

If the warning is ignored, the wrong value is in fact set in the enum
type.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list