Project

General

Profile

Bug #3007

crypto/openssh: four problems

Added by dcb 7 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Crypto
Target version:
-
Start date:
04/04/2017
Due date:
% Done:

0%


Description

1.

dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.

Source code is

if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)

but

char buf[256], remote_version[256]; /* must be same size! */

Suggest new code

if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)

2.

dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.

if ((r = sshbuf_put_u32(b, sock) != 0) ||
(r = sshbuf_put_string(b, data, datalen)) != 0)

3.

dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.

if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)

Suggest limit buffer size.

4.

dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.

if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3) {

History

#1 Updated by dillon 6 months ago

  • Status changed from New to Closed

There was one real bug here, the broken assignment. OpenSSH upstream already had the fix. Fix it in the DFly. The other three cases involving dangerous sscanf() calls cannot actually overflow due to the limited input buffer size. Document those cases but make not code change for t hem.

Fix committed by Matt

Also available in: Atom PDF