[DragonFlyBSD - Bug #3007] (New) crypto/openssh: four problems
bugtracker-admin at leaf.dragonflybsd.org
bugtracker-admin at leaf.dragonflybsd.org
Tue Apr 4 00:38:53 PDT 2017
Issue #3007 has been reported by dcb.
----------------------------------------
Bug #3007: crypto/openssh: four problems
http://bugs.dragonflybsd.org/issues/3007
* Author: dcb
* Status: New
* Priority: Normal
* Assignee:
* Category: Crypto
* Target version:
----------------------------------------
1.
dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.
Source code is
if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
but
char buf[256], remote_version[256]; /* must be same size! */
Suggest new code
if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
2.
dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
if ((r = sshbuf_put_u32(b, sock) != 0) ||
(r = sshbuf_put_string(b, data, datalen)) != 0)
3.
dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
Suggest limit buffer size.
4.
dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3) {
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
More information about the Bugs
mailing list