Actions
Bug #3007
closed
crypto/openssh: four problems
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Crypto
Target version:
-
Start date:
04/04/2017
Due date:
% Done:
0%
Estimated time:
Description
1.
dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.
Source code is
if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)but
char buf[256], remote_version[256]; /* must be same size! */Suggest new code
if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)2.
dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
if ((r = sshbuf_put_u32(b, sock) != 0) ||
(r = sshbuf_put_string(b, data, datalen)) != 0)3.
dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)Suggest limit buffer size.
4.
dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3) {
Updated by
Actions