From eacd9bb8f0819fc759bd0fa199d7d26fcbe35cd4 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 14 Jul 2023 05:31:44 +0000 Subject: [PATCH] add defence-in-depth checks for some unreachable integer overflows reported by Yair Mizrahi @ JFrog; feedback/ok millert@ --- usr.bin/ssh/auth-options.c | 7 ++++--- usr.bin/ssh/misc.c | 7 +++++-- usr.bin/ssh/scp.c | 9 +++++++-- usr.bin/ssh/ssh-keygen.c | 9 +++++++-- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c index 177a221f118..44dcacf370f 100644 --- a/usr.bin/ssh/auth-options.c +++ b/usr.bin/ssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.99 2023/03/29 00:18:35 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.100 2023/07/14 05:31:44 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -45,10 +45,11 @@ dup_strings(char ***dstp, size_t *ndstp, char **src, size_t nsrc) *dstp = NULL; *ndstp = 0; + if (nsrc == 0) return 0; - - if ((dst = calloc(nsrc, sizeof(*src))) == NULL) + if (nsrc >= SIZE_MAX / sizeof(*src) || + (dst = calloc(nsrc, sizeof(*src))) == NULL) return -1; for (i = 0; i < nsrc; i++) { if ((dst[i] = strdup(src[i])) == NULL) { diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index a9b5da7094d..4c6fceffc0b 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.181 2023/03/03 02:37:58 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.182 2023/07/14 05:31:44 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005-2020 Damien Miller. All rights reserved. @@ -879,8 +879,11 @@ urldecode(const char *src) { char *ret, *dst; int ch; + size_t srclen; - ret = xmalloc(strlen(src) + 1); + if ((srclen = strlen(src)) >= SIZE_MAX) + fatal_f("input too large"); + ret = xmalloc(srclen + 1); for (dst = ret; *src != '\0'; src++) { switch (*src) { case '+': diff --git a/usr.bin/ssh/scp.c b/usr.bin/ssh/scp.c index 5baab2e8781..3a279a105f1 100644 --- a/usr.bin/ssh/scp.c +++ b/usr.bin/ssh/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.256 2023/03/31 05:56:36 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.257 2023/07/14 05:31:44 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -777,8 +777,13 @@ emit_expansion(const char *pattern, int brace_start, int brace_end, int sel_start, int sel_end, char ***patternsp, size_t *npatternsp) { char *cp; - int o = 0, tail_len = strlen(pattern + brace_end + 1); + size_t pattern_len; + int o = 0, tail_len; + if ((pattern_len = strlen(pattern)) == 0 || pattern_len >= INT_MAX) + return -1; + + tail_len = strlen(pattern + brace_end + 1); if ((cp = malloc(brace_start + (sel_end - sel_start) + tail_len + 1)) == NULL) return -1; diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 7979930aaa1..47a1053ca78 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.468 2023/06/20 00:05:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.469 2023/07/14 05:31:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -2223,7 +2223,8 @@ hash_to_blob(const char *cp, u_char **blobp, size_t *lenp, * OpenSSH base64 hashes omit trailing '=' * characters; put them back for decode. */ - tlen = strlen(cp); + if ((tlen = strlen(cp)) >= SIZE_MAX - 5) + fatal_f("hash too long: %zu bytes", tlen); tmp = xmalloc(tlen + 4 + 1); strlcpy(tmp, cp, tlen + 1); while ((tlen % 4) != 0) { @@ -2265,6 +2266,10 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca, if (!quiet) printf("Revoking from %s\n", path); while (getline(&line, &linesize, krl_spec) != -1) { + if (linesize >= INT_MAX) { + fatal_f("%s contains unparsable line, len=%zu", + path, linesize); + } lnum++; was_explicit_key = was_sha1 = was_sha256 = was_hash = 0; cp = line + strspn(line, " \t"); -- 2.20.1