[openssh-commits] [openssh] 07/08: upstream: Fix two separate one-byte out-of-cound reads

git+noreply at mindrot.org git+noreply at mindrot.org
Sun May 31 15:04:10 AEST 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 073faa6beceea162eeeb7963c7352a6c851e507a
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sun May 31 04:51:45 2026 +0000

    upstream: Fix two separate one-byte out-of-cound reads
    
    1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
    2) if a batch command used the full 2048 byte buffer but ended in a
      literal backslash character
    
    Both reported by Zhenpeng (Leo) Lin from depthfirst
    
    ok markus@
    
    OpenBSD-Commit-ID: d1ccc1f5a6eb109065ce8a552fea8e502381ce59
---
 sftp.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sftp.c b/sftp.c
index eebb166e8..0ab9206c2 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.250 2026/02/11 17:01:34 dtucker Exp $ */
+/* $OpenBSD: sftp.c,v 1.251 2026/05/31 04:51:45 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm at openbsd.org>
  *
@@ -369,10 +369,9 @@ path_strip(const char *path, const char *strip)
 {
 	size_t len;
 
-	if (strip == NULL)
+	if (strip == NULL || (len = strlen(strip)) == 0)
 		return (xstrdup(path));
 
-	len = strlen(strip);
 	if (strncmp(path, strip, len) == 0) {
 		if (strip[len - 1] != '/' && path[len] == '/')
 			len++;
@@ -1283,6 +1282,8 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 					/* Unescape everything */
 					/* XXX support \n and friends? */
 					i++;
+					if (arg[i] == '\0')
+						goto early_nul;
 					argvs[j++] = arg[i];
 				}
 			}
@@ -1293,6 +1294,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 				goto string_done;
 		} else if (arg[i] == '\0') {
 			if (state == MA_SQUOTE || state == MA_DQUOTE) {
+ early_nul:
 				if (sloppy) {
 					state = MA_UNQUOTED;
 					if (terminated != NULL)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list