- djm@cvs.openbsd.org 2006/02/12 10:44:18

     [readconf.c]
     raise error when the user specifies a RekeyLimit that is smaller than 16
     (the smallest of our cipher's blocksize) or big enough to cause integer
     wraparound; ok & feedback dtucker@

2 files changed, 28 insertions, 8 deletions

diff --git a/ChangeLog b/ChangeLog
index 380b952b8..f8e857153 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,11 @@
      add a %l expansion code to the ControlPath, which is filled in with the
      local hostname at runtime. Requested by henning@ to avoid some problems
      with /home on NFS; ok dtucker@
+   - djm@cvs.openbsd.org 2006/02/12 10:44:18
+     [readconf.c]
+     raise error when the user specifies a RekeyLimit that is smaller than 16
+     (the smallest of our cipher's blocksize) or big enough to cause integer
+     wraparound; ok & feedback dtucker@
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -3975,4 +3980,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4160 2006/03/15 00:30:13 djm Exp $
+$Id: ChangeLog,v 1.4161 2006/03/15 00:30:38 djm Exp $
diff --git a/readconf.c b/readconf.c
index 1fbf59793..bc5cf6188 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.146 2006/02/12 10:44:18 djm Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -306,7 +306,8 @@ process_config_line(Options *options, const char *host,
                     int *activep)
 {
         char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
-        int opcode, *intptr, value, value2;
+        int opcode, *intptr, value, value2, scale;
+        long long orig, val64;
         size_t len;
         Forward fwd;
 
@@ -479,22 +480,36 @@ parse_yesnoask:
                         fatal("%.200s line %d: Missing argument.", filename, linenum);
                 if (arg[0] < '0' || arg[0] > '9')
                         fatal("%.200s line %d: Bad number.", filename, linenum);
-                value = strtol(arg, &endofnumber, 10);
+                orig = val64 = strtoll(arg, &endofnumber, 10);
                 if (arg == endofnumber)
                         fatal("%.200s line %d: Bad number.", filename, linenum);
                 switch (toupper(*endofnumber)) {
+                case '\0':
+                        scale = 1;
+                        break;
                 case 'K':
-                        value *= 1<<10;
+                        scale = 1<<10;
                         break;
                 case 'M':
-                        value *= 1<<20;
+                        scale = 1<<20;
                         break;
                 case 'G':
-                        value *= 1<<30;
+                        scale = 1<<30;
                         break;
+                default:
+                        fatal("%.200s line %d: Invalid RekeyLimit suffix",
+                            filename, linenum);
                 }
+                val64 *= scale;
+                /* detect integer wrap and too-large limits */
+                if ((val64 / scale) != orig || val64 > INT_MAX)
+                        fatal("%.200s line %d: RekeyLimit too large",
+                            filename, linenum);
+                if (val64 < 16)
+                        fatal("%.200s line %d: RekeyLimit too small",
+                            filename, linenum);
                 if (*activep && *intptr == -1)
-                        *intptr = value;
+                        *intptr = (int)val64;
                 break;
 
         case oIdentityFile: