From 59480edead391337354aa3173c0e72de67c8490e Mon Sep 17 00:00:00 2001 From: djm Date: Mon, 4 May 2015 06:10:48 +0000 Subject: [PATCH] Remove pattern length argument from match_pattern_list(), we only ever use it for strlen(pattern). Prompted by hanno AT hboeck.de pointing an out-of-bound read error caused by an incorrect pattern length found using AFL and his own tools. ok markus@ --- usr.bin/ssh/auth2-hostbased.c | 5 ++--- usr.bin/ssh/auth2-pubkey.c | 6 +++--- usr.bin/ssh/clientloop.c | 5 ++--- usr.bin/ssh/compat.c | 7 +++---- usr.bin/ssh/groupaccess.c | 6 ++---- usr.bin/ssh/hostfile.c | 4 ++-- usr.bin/ssh/match.c | 14 ++++++-------- usr.bin/ssh/match.h | 6 +++--- usr.bin/ssh/monitor.c | 8 +++----- usr.bin/ssh/readconf.c | 16 +++++++--------- usr.bin/ssh/servconf.c | 8 +++----- usr.bin/ssh/ssh.c | 8 +++----- usr.bin/ssh/sshconnect2.c | 5 ++--- usr.bin/ssh/sshkey.c | 4 ++-- 14 files changed, 43 insertions(+), 59 deletions(-) diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c index ebd407374f2..f1ea8c098bd 100644 --- a/usr.bin/ssh/auth2-hostbased.c +++ b/usr.bin/ssh/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -108,8 +108,7 @@ userauth_hostbased(Authctxt *authctxt) goto done; } if (match_pattern_list(sshkey_ssh_name(key), - options.hostbased_key_types, - strlen(options.hostbased_key_types), 0) != 1) { + options.hostbased_key_types, 0) != 1) { logit("%s: key type %s not in HostbasedAcceptedKeyTypes", __func__, sshkey_type(key)); goto done; diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c index f53a67fc8e3..e7c9658f4c9 100644 --- a/usr.bin/ssh/auth2-pubkey.c +++ b/usr.bin/ssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.48 2015/05/01 03:23:51 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.49 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -124,8 +124,8 @@ userauth_pubkey(Authctxt *authctxt) logit("refusing previously-used %s key", key_type(key)); goto done; } - if (match_pattern_list(sshkey_ssh_name(key), options.pubkey_key_types, - strlen(options.pubkey_key_types), 0) != 1) { + if (match_pattern_list(sshkey_ssh_name(key), + options.pubkey_key_types, 0) != 1) { logit("%s: key type %s not in PubkeyAcceptedKeyTypes", __func__, sshkey_ssh_name(key)); goto done; diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index f48da4f34c6..878c8c6aee0 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.273 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2334,8 +2334,7 @@ client_input_hostkeys(void) /* Check that the key is accepted in HostkeyAlgorithms */ if (options.hostkeyalgorithms != NULL && match_pattern_list(sshkey_ssh_name(key), - options.hostkeyalgorithms, - strlen(options.hostkeyalgorithms), 0) != 1) { + options.hostkeyalgorithms, 0) != 1) { debug3("%s: %s key not permitted by HostkeyAlgorithms", __func__, sshkey_ssh_name(key)); continue; diff --git a/usr.bin/ssh/compat.c b/usr.bin/ssh/compat.c index 4c8d5dafcce..c21f290fd55 100644 --- a/usr.bin/ssh/compat.c +++ b/usr.bin/ssh/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.90 2015/04/13 02:04:08 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.91 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -182,8 +182,7 @@ compat_datafellows(const char *version) /* process table, return first match */ for (i = 0; check[i].pat; i++) { - if (match_pattern_list(version, check[i].pat, - strlen(check[i].pat), 0) == 1) { + if (match_pattern_list(version, check[i].pat, 0) == 1) { debug("match: %s pat %s compat 0x%08x", version, check[i].pat, check[i].bugs); datafellows = check[i].bugs; /* XXX for now */ @@ -241,7 +240,7 @@ filter_proposal(char *proposal, const char *filter) buffer_init(&b); tmp = orig_prop = xstrdup(proposal); while ((cp = strsep(&tmp, ",")) != NULL) { - if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { + if (match_pattern_list(cp, filter, 0) != 1) { if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); buffer_append(&b, cp, strlen(cp)); diff --git a/usr.bin/ssh/groupaccess.c b/usr.bin/ssh/groupaccess.c index 79da627aa9e..618fe4a199b 100644 --- a/usr.bin/ssh/groupaccess.c +++ b/usr.bin/ssh/groupaccess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: groupaccess.c,v 1.15 2015/01/20 23:14:00 deraadt Exp $ */ +/* $OpenBSD: groupaccess.c,v 1.16 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 2001 Kevin Steves. All rights reserved. * @@ -87,11 +87,9 @@ int ga_match_pattern_list(const char *group_pattern) { int i, found = 0; - size_t len = strlen(group_pattern); for (i = 0; i < ngroups; i++) { - switch (match_pattern_list(groups_byname[i], - group_pattern, len, 0)) { + switch (match_pattern_list(groups_byname[i], group_pattern, 0)) { case -1: return 0; /* Negated match wins */ case 0: diff --git a/usr.bin/ssh/hostfile.c b/usr.bin/ssh/hostfile.c index 3df8e99437b..1f225cad63e 100644 --- a/usr.bin/ssh/hostfile.c +++ b/usr.bin/ssh/hostfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.c,v 1.65 2015/03/31 22:57:06 djm Exp $ */ +/* $OpenBSD: hostfile.c,v 1.66 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -660,7 +660,7 @@ match_maybe_hashed(const char *host, const char *names, int *was_hashed) return nlen == strlen(hashed_host) && strncmp(hashed_host, names, nlen) == 0; } - return match_hostname(host, names, nlen) == 1; + return match_hostname(host, names) == 1; } int diff --git a/usr.bin/ssh/match.c b/usr.bin/ssh/match.c index 156c08c019f..cf4b2f4e03e 100644 --- a/usr.bin/ssh/match.c +++ b/usr.bin/ssh/match.c @@ -1,4 +1,4 @@ -/* $OpenBSD: match.c,v 1.29 2013/11/20 20:54:10 deraadt Exp $ */ +/* $OpenBSD: match.c,v 1.30 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -113,15 +113,13 @@ match_pattern(const char *s, const char *pattern) * indicate negation). Returns -1 if negation matches, 1 if there is * a positive match, 0 if there is no match at all. */ - int -match_pattern_list(const char *string, const char *pattern, u_int len, - int dolower) +match_pattern_list(const char *string, const char *pattern, int dolower) { char sub[1024]; int negated; int got_positive; - u_int i, subi; + u_int i, subi, len = strlen(pattern); got_positive = 0; for (i = 0; i < len;) { @@ -175,9 +173,9 @@ match_pattern_list(const char *string, const char *pattern, u_int len, * a positive match, 0 if there is no match at all. */ int -match_hostname(const char *host, const char *pattern, u_int len) +match_hostname(const char *host, const char *pattern) { - return match_pattern_list(host, pattern, len, 1); + return match_pattern_list(host, pattern, 1); } /* @@ -198,7 +196,7 @@ match_host_and_ip(const char *host, const char *ipaddr, return 0; /* negative hostname match */ - if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1) + if ((mhost = match_hostname(host, patterns)) == -1) return 0; /* no match at all */ if (mhost == 0 && mip == 0) diff --git a/usr.bin/ssh/match.h b/usr.bin/ssh/match.h index 3d7f70fc01b..db97ca8f7a2 100644 --- a/usr.bin/ssh/match.h +++ b/usr.bin/ssh/match.h @@ -1,4 +1,4 @@ -/* $OpenBSD: match.h,v 1.15 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: match.h,v 1.16 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen @@ -15,8 +15,8 @@ #define MATCH_H int match_pattern(const char *, const char *); -int match_pattern_list(const char *, const char *, u_int, int); -int match_hostname(const char *, const char *, u_int); +int match_pattern_list(const char *, const char *, int); +int match_hostname(const char *, const char *); int match_host_and_ip(const char *, const char *, const char *); int match_user(const char *, const char *, const char *, const char *); char *match_list(const char *, const char *, u_int *); diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 2bd6753193a..a4d12f7fe7e 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.148 2015/05/01 03:23:51 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.149 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -928,8 +928,7 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.pubkey_authentication && !auth2_userkey_already_used(authctxt, key) && match_pattern_list(sshkey_ssh_name(key), - options.pubkey_key_types, - strlen(options.pubkey_key_types), 0) == 1 && + options.pubkey_key_types, 0) == 1 && user_key_allowed(authctxt->pw, key, pubkey_auth_attempt); pubkey_auth_info(authctxt, key, NULL); @@ -941,8 +940,7 @@ mm_answer_keyallowed(int sock, Buffer *m) case MM_HOSTKEY: allowed = options.hostbased_authentication && match_pattern_list(sshkey_ssh_name(key), - options.hostbased_key_types, - strlen(options.hostbased_key_types), 0) == 1 && + options.hostbased_key_types, 0) == 1 && hostbased_key_allowed(authctxt->pw, cuser, chost, key); pubkey_auth_info(authctxt, key, diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index e47b9bb8c95..d5790725bc2 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.234 2015/04/24 01:36:00 deraadt Exp $ */ +/* $OpenBSD: readconf.c,v 1.235 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -480,7 +480,6 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria; const char *ruser; int r, port, this_result, result = 1, attributes = 0, negate; - size_t len; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; /* @@ -533,25 +532,24 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, result = -1; goto out; } - len = strlen(arg); if (strcasecmp(attrib, "host") == 0) { criteria = xstrdup(host); - r = match_hostname(host, arg, len) == 1; + r = match_hostname(host, arg) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; } else if (strcasecmp(attrib, "originalhost") == 0) { criteria = xstrdup(original_host); - r = match_hostname(original_host, arg, len) == 1; + r = match_hostname(original_host, arg) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; } else if (strcasecmp(attrib, "user") == 0) { criteria = xstrdup(ruser); - r = match_pattern_list(ruser, arg, len, 0) == 1; + r = match_pattern_list(ruser, arg, 0) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; } else if (strcasecmp(attrib, "localuser") == 0) { criteria = xstrdup(pw->pw_name); - r = match_pattern_list(pw->pw_name, arg, len, 0) == 1; + r = match_pattern_list(pw->pw_name, arg, 0) == 1; if (r == (negate ? 1 : 0)) this_result = result = 0; } else if (strcasecmp(attrib, "exec") == 0) { @@ -653,8 +651,8 @@ parse_token(const char *cp, const char *filename, int linenum, for (i = 0; keywords[i].name; i++) if (strcmp(cp, keywords[i].name) == 0) return keywords[i].opcode; - if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown, - strlen(ignored_unknown), 1) == 1) + if (ignored_unknown != NULL && + match_pattern_list(cp, ignored_unknown, 1) == 1) return oIgnoredUnknownOption; error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index ed625671875..0c471d69ec2 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.268 2015/05/01 07:08:08 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.269 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -713,7 +713,6 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) { int result = 1, attributes = 0, port; char *arg, *attrib, *cp = *condition; - size_t len; if (ci == NULL) debug3("checking syntax for 'Match %s'", cp); @@ -740,13 +739,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) error("Missing Match criteria for %s", attrib); return -1; } - len = strlen(arg); if (strcasecmp(attrib, "user") == 0) { if (ci == NULL || ci->user == NULL) { result = 0; continue; } - if (match_pattern_list(ci->user, arg, len, 0) != 1) + if (match_pattern_list(ci->user, arg, 0) != 1) result = 0; else debug("user %.100s matched 'User %.100s' at " @@ -767,7 +765,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) result = 0; continue; } - if (match_hostname(ci->host, arg, len) != 1) + if (match_hostname(ci->host, arg) != 1) result = 0; else debug("connection from %.100s matched 'Host " diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 1b83d9d0209..918425b6b1e 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.417 2015/04/17 13:16:48 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.418 2015/05/04 06:10:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -341,10 +341,8 @@ check_follow_cname(char **namep, const char *cname) debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname); for (i = 0; i < options.num_permitted_cnames; i++) { rule = options.permitted_cnames + i; - if (match_pattern_list(*namep, rule->source_list, - strlen(rule->source_list), 1) != 1 || - match_pattern_list(cname, rule->target_list, - strlen(rule->target_list), 1) != 1) + if (match_pattern_list(*namep, rule->source_list, 1) != 1 || + match_pattern_list(cname, rule->target_list, 1) != 1) continue; verbose("Canonicalized DNS aliased hostname " "\"%s\" => \"%s\"", *namep, cname); diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 9af29559d9a..c3249d52cae 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.223 2015/01/30 11:43:14 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1602,8 +1602,7 @@ userauth_hostbased(Authctxt *authctxt) continue; if (match_pattern_list( sshkey_ssh_name(authctxt->sensitive->keys[i]), - authctxt->active_ktype, - strlen(authctxt->active_ktype), 0) != 1) + authctxt->active_ktype, 0) != 1) continue; /* we take and free the key */ private = authctxt->sensitive->keys[i]; diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index ce6d4a13c4e..7eb41f8c2bb 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.16 2015/04/03 22:17:27 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.17 2015/05/04 06:10:48 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -239,7 +239,7 @@ sshkey_names_valid2(const char *names, int allow_wildcard) if (kt->type == KEY_RSA1) continue; if (match_pattern_list(kt->name, - p, strlen(p), 0) != 0) + p, 0) != 0) break; } if (kt->type != -1) -- 2.20.1