[PATCH] harden parent-child check in sshbuf.c
Damien Miller
djm at mindrot.org
Wed Aug 14 09:51:36 AEST 2024
ok
On Tue, 13 Aug 2024, Tobias Stoeckmann wrote:
> This simple additional check hardens sshbuf against linking an
> sshbuf into itself as parent/child pair, which could lead to ref
> counting issues.
>
> Purely defensive measure. I am not aware that this could happen
> somehwere in the code by now.
>
> Okay?
>
> Index: sshbuf.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshbuf.c,v
> diff -u -p -u -p -r1.19 sshbuf.c
> --- sshbuf.c 2 Dec 2022 04:40:27 -0000 1.19
> +++ sshbuf.c 13 Aug 2024 16:52:58 -0000
> @@ -55,6 +55,7 @@ sshbuf_check_sanity(const struct sshbuf
> SSHBUF_TELL("sanity");
> if (__predict_false(buf == NULL ||
> (!buf->readonly && buf->d != buf->cd) ||
> + buf->parent == buf ||
> buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX ||
> buf->cd == NULL ||
> buf->max_size > SSHBUF_SIZE_MAX ||
> @@ -130,7 +131,8 @@ sshbuf_set_parent(struct sshbuf *child,
> if ((r = sshbuf_check_sanity(child)) != 0 ||
> (r = sshbuf_check_sanity(parent)) != 0)
> return r;
> - if (child->parent != NULL && child->parent != parent)
> + if ((child->parent != NULL && child->parent != parent) ||
> + child == parent)
> return SSH_ERR_INTERNAL_ERROR;
> child->parent = parent;
> child->parent->refcount++;
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list