Bug #3007
closed
crypto/openssh: four problems
0%
Description
1.
dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.
Source code is
if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)but
char buf[256], remote_version[256]; /* must be same size! */Suggest new code
if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)2.
dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
if ((r = sshbuf_put_u32(b, sock) != 0) ||
(r = sshbuf_put_string(b, data, datalen)) != 0)3.
dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)Suggest limit buffer size.
4.
dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3) {
Updated by dillon almost 8 years ago
- Status changed from New to Closed
There was one real bug here, the broken assignment. OpenSSH upstream already had the fix. Fix it in the DFly. The other three cases involving dangerous sscanf() calls cannot actually overflow due to the limited input buffer size. Document those cases but make not code change for t hem.
Fix committed by Matt