Strictly enforce the maximum allowed SSH2 banner size in ssh-keyscan

and prevent a one-byte buffer overflow.  Patch from Qualys, ok djm@

diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 1b75bbe..225884e 100644 (file)
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -470,6 +470,15 @@ congreet(int s)
                return;
        }
 
+       /*
+        * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
+        * protocol identification string may be preceeded by an arbitarily
+        * large banner which we must read and ignore.  Loop while reading
+        * newline-terminated lines until we have one starting with "SSH-".
+        * The ID string cannot be longer than 255 characters although the
+        * preceeding banner lines may (in which case they'll be discarded
+        * in multiple iterations of the outer loop).
+        */
        for (;;) {
                memset(buf, '\0', sizeof(buf));
                bufsiz = sizeof(buf);
@@ -497,6 +506,11 @@ congreet(int s)
                conrecycle(s);
                return;
        }
+       if (cp >= buf + sizeof(buf)) {
+               error("%s: greeting exceeds allowable length", c->c_name);
+               confree(s);
+               return;
+       }
        if (*cp != '\n' && *cp != '\r') {
                error("%s: bad greeting", c->c_name);
                confree(s);