[openssh-commits] [openssh] branch V_10_0 updated: upstream: fix a out-of-bounds read if the known_hosts file is

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch V_10_0
in repository openssh.

The following commit(s) were added to refs/heads/V_10_0 by this push:
     new 4b1f172fe upstream: fix a out-of-bounds read if the known_hosts file is
4b1f172fe is described below

commit 4b1f172fe91c253d09d75650981a3e0c87651fa3
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Apr 30 05:23:15 2025 +0000

    upstream: fix a out-of-bounds read if the known_hosts file is
    
    truncated after the hostname.
    
    Reported by the OpenAI Security Research Team
    
    ok deraadt@
    
    OpenBSD-Commit-ID: c0b516d7c80c4779a403826f73bcd8adbbc54ebd
---
 hostfile.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hostfile.c b/hostfile.c
index c5669c703..a4a5a9a5e 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */
+/* $OpenBSD: hostfile.c,v 1.96 2025/04/30 05:23:15 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -810,6 +810,12 @@ hostkeys_foreach_file(const char *path, FILE *f, hostkeys_foreach_fn *callback,
 		/* Find the end of the host name portion. */
 		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
 			;
+		if (*cp2 == '\0') {
+			verbose_f("truncated line at %s:%lu", path, linenum);
+			if ((options & HKF_WANT_MATCH) == 0)
+				goto bad;
+			continue;
+		}
 		lineinfo.hosts = cp;
 		*cp2++ = '\0';
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.