diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2022-08-19 04:02:46 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-08-19 16:34:06 +1000 |
| commit | ff89b1bed80721295555bd083b173247a9c0484e (patch) | |
| tree | 6c7cd47eb0fa9b14350f71761e8e16df78e35205 /ssh-keyscan.c | |
| parent | 1b470b9036639cef4f32fb303bb35ea0b711178d (diff) | |
| download | openssh-git-ff89b1bed80721295555bd083b173247a9c0484e.tar.gz | |
upstream: Strictly enforce the maximum allowed SSH2 banner size in
ssh-keyscan and prevent a one-byte buffer overflow. Patch from Qualys, ok
djm@
OpenBSD-Commit-ID: 6ae664f9f4db6e8a0589425f74cd0bbf3aeef4e4
Diffstat (limited to 'ssh-keyscan.c')
| -rw-r--r-- | ssh-keyscan.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/ssh-keyscan.c b/ssh-keyscan.c index d29a03b4..d7283136 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. * @@ -490,6 +490,15 @@ congreet(int s) return; } + /* + * Read the server banner as per RFC4253 section 4.2. The "SSH-" + * protocol identification string may be preceeded by an arbitarily + * large banner which we must read and ignore. Loop while reading + * newline-terminated lines until we have one starting with "SSH-". + * The ID string cannot be longer than 255 characters although the + * preceeding banner lines may (in which case they'll be discarded + * in multiple iterations of the outer loop). + */ for (;;) { memset(buf, '\0', sizeof(buf)); bufsiz = sizeof(buf); @@ -517,6 +526,11 @@ congreet(int s) conrecycle(s); return; } + if (cp >= buf + sizeof(buf)) { + error("%s: greeting exceeds allowable length", c->c_name); + confree(s); + return; + } if (*cp != '\n' && *cp != '\r') { error("%s: bad greeting", c->c_name); confree(s); |