[DragonFlyBSD - Bug #3007] (New) crypto/openssh: four problems

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Tue Apr 4 00:38:53 PDT 2017


Issue #3007 has been reported by dcb.

----------------------------------------
Bug #3007: crypto/openssh: four problems 
http://bugs.dragonflybsd.org/issues/3007

* Author: dcb
* Status: New
* Priority: Normal
* Assignee: 
* Category: Crypto
* Target version: 
----------------------------------------

1.

dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.

Source code is

    if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

but

    char buf[256], remote_version[256]; /* must be same size! */

Suggest new code

    if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

2.

dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.

    if ((r = sshbuf_put_u32(b, sock) != 0) ||
        (r = sshbuf_put_string(b, data, datalen)) != 0)

3.

dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.

    if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

Suggest limit buffer size.

4.

dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.

    if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3) {




-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account



More information about the Bugs mailing list