diff options
| author | Damien Miller <djm@mindrot.org> | 2014-07-02 15:29:01 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-07-02 15:29:01 +1000 |
| commit | 1845fe6bda0729e52f4c645137f4fc3070b5438a (patch) | |
| tree | 0d29a2a98b222a85e651f69ba9f01b613d06ecaa | |
| parent | 19439e9a2a0ac0b4b3b1210e89695418beb1c883 (diff) | |
- djm@cvs.openbsd.org 2014/06/24 02:21:01
[scp.c]
when copying local->remote fails during read, don't send uninitialised
heap to the remote end. Reported by Jann Horn
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | scp.c | 10 |
2 files changed, 11 insertions, 3 deletions
| @@ -50,6 +50,10 @@ | |||
| 50 | ProxyCommand in use; continue and allow the ProxyCommand to | 50 | ProxyCommand in use; continue and allow the ProxyCommand to |
| 51 | connect anyway (e.g. to a host with a name outside the DNS | 51 | connect anyway (e.g. to a host with a name outside the DNS |
| 52 | behind a bastion) | 52 | behind a bastion) |
| 53 | - djm@cvs.openbsd.org 2014/06/24 02:21:01 | ||
| 54 | [scp.c] | ||
| 55 | when copying local->remote fails during read, don't send uninitialised | ||
| 56 | heap to the remote end. Reported by Jann Horn | ||
| 53 | 57 | ||
| 54 | 20140618 | 58 | 20140618 |
| 55 | - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare | 59 | - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: scp.c,v 1.179 2013/11/20 20:53:10 deraadt Exp $ */ | 1 | /* $OpenBSD: scp.c,v 1.180 2014/06/24 02:21:01 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * scp - secure remote copy. This is basically patched BSD rcp which | 3 | * scp - secure remote copy. This is basically patched BSD rcp which |
| 4 | * uses ssh to do the data transfer (instead of using rcmd). | 4 | * uses ssh to do the data transfer (instead of using rcmd). |
| @@ -747,7 +747,7 @@ source(int argc, char **argv) | |||
| 747 | static BUF buffer; | 747 | static BUF buffer; |
| 748 | BUF *bp; | 748 | BUF *bp; |
| 749 | off_t i, statbytes; | 749 | off_t i, statbytes; |
| 750 | size_t amt; | 750 | size_t amt, nr; |
| 751 | int fd = -1, haderr, indx; | 751 | int fd = -1, haderr, indx; |
| 752 | char *last, *name, buf[2048], encname[MAXPATHLEN]; | 752 | char *last, *name, buf[2048], encname[MAXPATHLEN]; |
| 753 | int len; | 753 | int len; |
| @@ -820,12 +820,16 @@ next: if (fd != -1) { | |||
| 820 | if (i + (off_t)amt > stb.st_size) | 820 | if (i + (off_t)amt > stb.st_size) |
| 821 | amt = stb.st_size - i; | 821 | amt = stb.st_size - i; |
| 822 | if (!haderr) { | 822 | if (!haderr) { |
| 823 | if (atomicio(read, fd, bp->buf, amt) != amt) | 823 | if ((nr = atomicio(read, fd, |
| 824 | bp->buf, amt)) != amt) { | ||
| 824 | haderr = errno; | 825 | haderr = errno; |
| 826 | memset(bp->buf + nr, 0, amt - nr); | ||
| 827 | } | ||
| 825 | } | 828 | } |
| 826 | /* Keep writing after error to retain sync */ | 829 | /* Keep writing after error to retain sync */ |
| 827 | if (haderr) { | 830 | if (haderr) { |
| 828 | (void)atomicio(vwrite, remout, bp->buf, amt); | 831 | (void)atomicio(vwrite, remout, bp->buf, amt); |
| 832 | memset(bp->buf, 0, amt); | ||
| 829 | continue; | 833 | continue; |
| 830 | } | 834 | } |
| 831 | if (atomicio6(vwrite, remout, bp->buf, amt, scpio, | 835 | if (atomicio6(vwrite, remout, bp->buf, amt, scpio, |