[DragonFlyBSD - Bug #3007] (Closed) crypto/openssh: four problems

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Mon Apr 10 22:03:06 PDT 2017


Issue #3007 has been updated by dillon.

Status changed from New to Closed

There was one real bug here, the broken assignment.  OpenSSH upstream already had the fix.  Fix it in the DFly.  The other three cases involving dangerous sscanf() calls cannot actually overflow due to the limited input buffer size.  Document those cases but make not code change for t hem.

Fix committed by Matt


----------------------------------------
Bug #3007: crypto/openssh: four problems 
http://bugs.dragonflybsd.org/issues/3007#change-13121

* Author: dcb
* Status: Closed
* Priority: Normal
* Assignee: 
* Category: Crypto
* Target version: 
----------------------------------------

1.

dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data.

Source code is

    if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

but

    char buf[256], remote_version[256]; /* must be same size! */

Suggest new code

    if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

2.

dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.

    if ((r = sshbuf_put_u32(b, sock) != 0) ||
        (r = sshbuf_put_string(b, data, datalen)) != 0)

3.

dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data.

    if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3)

Suggest limit buffer size.

4.

dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data.

    if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
        &remote_major, &remote_minor, remote_version) != 3) {




-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account



More information about the Bugs mailing list