diff options
author | djm@openbsd.org <djm@openbsd.org> | 2022-04-08 04:40:40 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2022-04-12 09:35:31 +1000 |
commit | 4673fa8f2be983f2f88d5afd754adb1a2a39ec9e (patch) | |
tree | 4e409b3068c140d54d4188bed2246f5d390f0953 | |
parent | 26eef015e2d2254375e13afaaf753b78932b1bf5 (diff) | |
download | openssh-git-4673fa8f2be983f2f88d5afd754adb1a2a39ec9e.tar.gz |
upstream: two defensive changes from Tobias Stoeckmann via GHPR287
enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.
In sshbuf_reset(), if the reallocation fails, then zero the entire
buffer and not the (potentially smaller) default initial alloc size.
OpenBSD-Commit-ID: 14583203aa5d50ad38d2e209ae10abaf8955e6a9
-rw-r--r-- | sshbuf.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.15 2020/02/26 13:40:09 jsg Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.16 2022/04/08 04:40:40 djm Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -109,6 +109,8 @@ sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent) if ((r = sshbuf_check_sanity(child)) != 0 || (r = sshbuf_check_sanity(parent)) != 0) return r; + if (child->parent != NULL && child->parent != parent) + return SSH_ERR_INTERNAL_ERROR; child->parent = parent; child->parent->refcount++; return 0; @@ -177,7 +179,8 @@ sshbuf_reset(struct sshbuf *buf) buf->off = buf->size; return; } - (void) sshbuf_check_sanity(buf); + if (sshbuf_check_sanity(buf) != 0) + return; buf->off = buf->size = 0; if (buf->alloc != SSHBUF_SIZE_INIT) { if ((d = recallocarray(buf->d, buf->alloc, SSHBUF_SIZE_INIT, @@ -186,7 +189,7 @@ sshbuf_reset(struct sshbuf *buf) buf->alloc = SSHBUF_SIZE_INIT; } } - explicit_bzero(buf->d, SSHBUF_SIZE_INIT); + explicit_bzero(buf->d, buf->alloc); } size_t |