[openssh-commits] [openssh] 03/09: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Nov 29 17:20:06 AEDT 2016


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 54d022026aae4f53fa74cc636e4a032d9689b64d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Nov 25 23:24:45 2016 +0000

    upstream commit
    
    use sshbuf_allocate() to pre-allocate the buffer used for
    loading keys. This avoids implicit realloc inside the buffer code, which
    might theoretically leave fragments of the key on the heap. This doesn't
    appear to happen in practice for normal sized keys, but was observed for
    novelty oversize ones.
    
    Pointed out by Jann Horn of Project Zero; ok markus@
    
    Upstream-ID: d620e1d46a29fdea56aeadeda120879eddc60ab1
---
 authfile.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/authfile.c b/authfile.c
index f46b4e3..7411b68 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.121 2016/04/09 12:39:30 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.122 2016/11/25 23:24:45 djm Exp $ */
 /*
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
@@ -100,13 +100,25 @@ sshkey_load_file(int fd, struct sshbuf *blob)
 	u_char buf[1024];
 	size_t len;
 	struct stat st;
-	int r;
+	int r, dontmax = 0;
 
 	if (fstat(fd, &st) < 0)
 		return SSH_ERR_SYSTEM_ERROR;
 	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
 	    st.st_size > MAX_KEY_FILE_SIZE)
 		return SSH_ERR_INVALID_FORMAT;
+	/*
+	 * Pre-allocate the buffer used for the key contents and clamp its
+	 * maximum size. This ensures that key contents are never leaked via
+	 * implicit realloc() in the sshbuf code.
+	 */
+	if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
+		st.st_size = 64*1024; /* 64k should be enough for anyone :) */
+		dontmax = 1;
+	}
+	if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
+	    (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
+		return r;
 	for (;;) {
 		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
 			if (errno == EPIPE)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list