[DragonFlyBSD - Bug #3007] (Closed) crypto/openssh: four problems
bugtracker-admin at leaf.dragonflybsd.org
bugtracker-admin at leaf.dragonflybsd.org
Mon Apr 10 22:03:06 PDT 2017
Issue #3007 has been updated by dillon.
Status changed from New to Closed
There was one real bug here, the broken assignment. OpenSSH upstream already had the fix. Fix it in the DFly. The other three cases involving dangerous sscanf() calls cannot actually overflow due to the limited input buffer size. Document those cases but make not code change for t hem.
Fix committed by Matt
----------------------------------------
Bug #3007: crypto/openssh: four problems
http://bugs.dragonflybsd.org/issues/3007#change-13121
* Author: dcb
* Status: Closed
* Priority: Normal
* Assignee:
* Category: Crypto
* Target version:
----------------------------------------
1.
dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.
Source code is
if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
but
char buf[256], remote_version[256]; /* must be same size! */
Suggest new code
if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
2.
dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
if ((r = sshbuf_put_u32(b, sock) != 0) ||
(r = sshbuf_put_string(b, data, datalen)) != 0)
3.
dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3)
Suggest limit buffer size.
4.
dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.
if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
&remote_major, &remote_minor, remote_version) != 3) {
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
More information about the Bugs
mailing list