[openssh-commits] [openssh] 02/03: upstream: add defence-in-depth checks for some unreachable integer

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jul 14 15:38:31 AEST 2023 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Jul 14 05:31:44 2023 +0000

    upstream: add defence-in-depth checks for some unreachable integer
    
    overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@
    
    OpenBSD-Commit-ID: 52af085f4e7ef9f9d8423d8c1840a6a88bda90bd
---
 auth-options.c | 7 ++++---
 misc.c         | 7 +++++--
 scp.c          | 9 +++++++--
 ssh-keygen.c   | 9 +++++++--
 4 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/auth-options.c b/auth-options.c
index 88e9eb1c..e1ced205 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.99 2023/03/29 00:18:35 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.100 2023/07/14 05:31:44 djm Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm at mindrot.org>
  *
@@ -48,10 +48,11 @@ dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc)
 
 	*dstp = NULL;
 	*ndstp = 0;
+
 	if (nsrc == 0)
 		return 0;
-
-	if ((dst = calloc(nsrc, sizeof(*src))) == NULL)
+	if (nsrc >= SIZE_MAX / sizeof(*src) ||
+	    (dst = calloc(nsrc, sizeof(*src))) == NULL)
 		return -1;
 	for (i = 0; i < nsrc; i++) {
 		if ((dst[i] = strdup(src[i])) == NULL) {
diff --git a/misc.c b/misc.c
index 63c3d4d2..2960a2a4 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.181 2023/03/03 02:37:58 dtucker Exp $ */
+/* $OpenBSD: misc.c,v 1.182 2023/07/14 05:31:44 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@@ -926,8 +926,11 @@ urldecode(const char *src)
 {
 	char *ret, *dst;
 	int ch;
+	size_t srclen;
 
-	ret = xmalloc(strlen(src) + 1);
+	if ((srclen = strlen(src)) >= SIZE_MAX)
+		fatal_f("input too large");
+	ret = xmalloc(srclen + 1);
 	for (dst = ret; *src != '\0'; src++) {
 		switch (*src) {
 		case '+':
diff --git a/scp.c b/scp.c
index 1800ba3c..5edb4f07 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.256 2023/03/31 05:56:36 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.257 2023/07/14 05:31:44 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -838,8 +838,13 @@ emit_expansion(const char *pattern, int brace_start, int brace_end,
     int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
 {
 	char *cp;
-	int o = 0, tail_len = strlen(pattern + brace_end + 1);
+	size_t pattern_len;
+	int o = 0, tail_len;
 
+	if ((pattern_len = strlen(pattern)) == 0 || pattern_len >= INT_MAX)
+		return -1;
+
+	tail_len = strlen(pattern + brace_end + 1);
 	if ((cp = malloc(brace_start + (sel_end - sel_start) +
 	    tail_len + 1)) == NULL)
 		return -1;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index fd2725c2..93c3ff70 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.468 2023/06/20 00:05:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.469 2023/07/14 05:31:44 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2246,7 +2246,8 @@ hash_to_blob(const char *cp, u_char **blobp, size_t *lenp,
 	 * OpenSSH base64 hashes omit trailing '='
 	 * characters; put them back for decode.
 	 */
-	tlen = strlen(cp);
+	if ((tlen = strlen(cp)) >= SIZE_MAX - 5)
+		fatal_f("hash too long: %zu bytes", tlen);
 	tmp = xmalloc(tlen + 4 + 1);
 	strlcpy(tmp, cp, tlen + 1);
 	while ((tlen % 4) != 0) {
@@ -2288,6 +2289,10 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
 	if (!quiet)
 		printf("Revoking from %s\n", path);
 	while (getline(&line, &linesize, krl_spec) != -1) {
+		if (linesize >= INT_MAX) {
+			fatal_f("%s contains unparsable line, len=%zu",
+			    path, linesize);
+		}
 		lnum++;
 		was_explicit_key = was_sha1 = was_sha256 = was_hash = 0;
 		cp = line + strspn(line, " \t");

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list