[openssh-commits] [openssh] 01/01: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Jul 18 16:11:49 AEST 2016 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit eb999a4590846ba4d56ddc90bd07c23abfbab7b1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Jul 18 06:08:01 2016 +0000

    upstream commit
    
    Add some unsigned overflow checks for extra_pad. None of
    these are reachable with the amount of padding that we use internally.
    bz#2566, pointed out by Torben Hansen. ok markus@
    
    Upstream-ID: 4d4be8450ab2fc1b852d5884339f8e8c31c3fd76
---
 packet.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/packet.c b/packet.c
index 3810f11..7290fc7 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.232 2016/07/15 05:01:58 dtucker Exp $ */
+/* $OpenBSD: packet.c,v 1.233 2016/07/18 06:08:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1171,7 +1171,7 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
 {
 	struct session_state *state = ssh->state;
 	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
-	u_char padlen, pad = 0;
+	u_char tmp, padlen, pad = 0;
 	u_int authlen = 0, aadlen = 0;
 	u_int len;
 	struct sshenc *enc   = NULL;
@@ -1229,14 +1229,24 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
 	if (padlen < 4)
 		padlen += block_size;
 	if (state->extra_pad) {
-		/* will wrap if extra_pad+padlen > 255 */
+		tmp = state->extra_pad;
 		state->extra_pad =
 		    roundup(state->extra_pad, block_size);
-		pad = state->extra_pad -
-		    ((len + padlen) % state->extra_pad);
+		/* check if roundup overflowed */
+		if (state->extra_pad < tmp)
+			return SSH_ERR_INVALID_ARGUMENT;
+		tmp = (len + padlen) % state->extra_pad;
+		/* Check whether pad calculation below will underflow */
+		if (tmp > state->extra_pad)
+			return SSH_ERR_INVALID_ARGUMENT;
+		pad = state->extra_pad - tmp;
 		DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
 		    __func__, pad, len, padlen, state->extra_pad));
+		tmp = padlen;
 		padlen += pad;
+		/* Check whether padlen calculation overflowed */
+		if (padlen < tmp)
+			return SSH_ERR_INVALID_ARGUMENT; /* overflow */
 		state->extra_pad = 0;
 	}
 	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list