require control-escape character sequences passed via the '-e ^x'

commandline to be exactly two characters long. Avoids one by OOB
read if ssh is invoked as "ssh -e^ ..."

Spotted by Maciej Domanski in GHPR368

diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index 65fb522..74a68e3 100644 (file)
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.600 2024/01/11 01:45:36 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.601 2024/10/18 05:03:34 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -939,7 +939,7 @@ main(int ac, char **av)
                        options.log_level = SYSLOG_LEVEL_QUIET;
                        break;
                case 'e':
-                       if (optarg[0] == '^' && optarg[2] == 0 &&
+                       if (strlen(optarg) == 2 && optarg[0] == '^' &&
                            (u_char) optarg[1] >= 64 &&
                            (u_char) optarg[1] < 128)
                                options.escape_char = (u_char) optarg[1] & 31;