upstream commit

Remove pattern length argument from match_pattern_list(), we
 only ever use it for strlen(pattern).

Prompted by hanno AT hboeck.de pointing an out-of-bound read
error caused by an incorrect pattern length found using AFL
and his own tools.

ok markus@

14 files changed, 43 insertions, 59 deletions

diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index eebfe8fc3..e2327cf77 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -109,8 +109,7 @@ userauth_hostbased(Authctxt *authctxt)
                 goto done;
         }
         if (match_pattern_list(sshkey_ssh_name(key),
-            options.hostbased_key_types,
-            strlen(options.hostbased_key_types), 0) != 1) {
+            options.hostbased_key_types, 0) != 1) {
                 logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
                     __func__, sshkey_type(key));
                 goto done;
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index d943efa1e..e103b70af 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.47 2015/02/17 00:14:05 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.49 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -127,8 +127,8 @@ userauth_pubkey(Authctxt *authctxt)
                 logit("refusing previously-used %s key", key_type(key));
                 goto done;
         }
-        if (match_pattern_list(sshkey_ssh_name(key), options.pubkey_key_types,
-            strlen(options.pubkey_key_types), 0) != 1) {
+        if (match_pattern_list(sshkey_ssh_name(key),
+            options.pubkey_key_types, 0) != 1) {
                 logit("%s: key type %s not in PubkeyAcceptedKeyTypes",
                     __func__, sshkey_ssh_name(key));
                 goto done;
diff --git a/clientloop.c b/clientloop.c
index a9c8a90f0..040deb992 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.272 2015/02/25 19:54:02 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.273 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2352,8 +2352,7 @@ client_input_hostkeys(void)
                 /* Check that the key is accepted in HostkeyAlgorithms */
                 if (options.hostkeyalgorithms != NULL &&
                     match_pattern_list(sshkey_ssh_name(key),
-                    options.hostkeyalgorithms,
-                    strlen(options.hostkeyalgorithms), 0) != 1) {
+                    options.hostkeyalgorithms, 0) != 1) {
                         debug3("%s: %s key not permitted by HostkeyAlgorithms",
                             __func__, sshkey_ssh_name(key));
                         continue;
diff --git a/compat.c b/compat.c
index 7836a86be..337bbe01e 100644
--- a/compat.c
+++ b/compat.c
@@ -192,8 +192,7 @@ compat_datafellows(const char *version)
 
         /* process table, return first match */
         for (i = 0; check[i].pat; i++) {
-                if (match_pattern_list(version, check[i].pat,
-                    strlen(check[i].pat), 0) == 1) {
+                if (match_pattern_list(version, check[i].pat, 0) == 1) {
                         debug("match: %s pat %s compat 0x%08x",
                             version, check[i].pat, check[i].bugs);
                         datafellows = check[i].bugs;    /* XXX for now */
@@ -251,7 +250,7 @@ filter_proposal(char *proposal, const char *filter)
         buffer_init(&b);
         tmp = orig_prop = xstrdup(proposal);
         while ((cp = strsep(&tmp, ",")) != NULL) {
-                if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
+                if (match_pattern_list(cp, filter, 0) != 1) {
                         if (buffer_len(&b) > 0)
                                 buffer_append(&b, ",", 1);
                         buffer_append(&b, cp, strlen(cp));
diff --git a/groupaccess.c b/groupaccess.c
index 4fca04471..2518c8487 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: groupaccess.c,v 1.15 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: groupaccess.c,v 1.16 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright (c) 2001 Kevin Steves.  All rights reserved.
  *
@@ -97,11 +97,9 @@ int
 ga_match_pattern_list(const char *group_pattern)
 {
         int i, found = 0;
-        size_t len = strlen(group_pattern);
 
         for (i = 0; i < ngroups; i++) {
-                switch (match_pattern_list(groups_byname[i],
-                    group_pattern, len, 0)) {
+                switch (match_pattern_list(groups_byname[i], group_pattern, 0)) {
                 case -1:
                         return 0;       /* Negated match wins */
                 case 0:
diff --git a/hostfile.c b/hostfile.c
index d9fdcb872..2850a4793 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.65 2015/03/31 22:57:06 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.66 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -663,7 +663,7 @@ match_maybe_hashed(const char *host, const char *names, int *was_hashed)
                 return nlen == strlen(hashed_host) &&
                     strncmp(hashed_host, names, nlen) == 0;
         }
-        return match_hostname(host, names, nlen) == 1;
+        return match_hostname(host, names) == 1;
 }
 
 int
diff --git a/match.c b/match.c
index c35e32896..913b6bae0 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.29 2013/11/20 20:54:10 deraadt Exp $ */
+/* $OpenBSD: match.c,v 1.30 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -115,15 +115,13 @@ match_pattern(const char *s, const char *pattern)
  * indicate negation).  Returns -1 if negation matches, 1 if there is
  * a positive match, 0 if there is no match at all.
  */
-
 int
-match_pattern_list(const char *string, const char *pattern, u_int len,
-    int dolower)
+match_pattern_list(const char *string, const char *pattern, int dolower)
 {
         char sub[1024];
         int negated;
         int got_positive;
-        u_int i, subi;
+        u_int i, subi, len = strlen(pattern);
 
         got_positive = 0;
         for (i = 0; i < len;) {
@@ -177,9 +175,9 @@ match_pattern_list(const char *string, const char *pattern, u_int len,
  * a positive match, 0 if there is no match at all.
  */
 int
-match_hostname(const char *host, const char *pattern, u_int len)
+match_hostname(const char *host, const char *pattern)
 {
-        return match_pattern_list(host, pattern, len, 1);
+        return match_pattern_list(host, pattern, 1);
 }
 
 /*
@@ -200,7 +198,7 @@ match_host_and_ip(const char *host, const char *ipaddr,
                 return 0;
 
         /* negative hostname match */
-        if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
+        if ((mhost = match_hostname(host, patterns)) == -1)
                 return 0;
         /* no match at all */
         if (mhost == 0 && mip == 0)
diff --git a/match.h b/match.h
index 3d7f70fc0..db97ca8f7 100644
--- a/match.h
+++ b/match.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.h,v 1.15 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: match.h,v 1.16 2015/05/04 06:10:48 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,8 +15,8 @@
 #define MATCH_H
 
 int      match_pattern(const char *, const char *);
-int      match_pattern_list(const char *, const char *, u_int, int);
-int      match_hostname(const char *, const char *, u_int);
+int      match_pattern_list(const char *, const char *, int);
+int      match_hostname(const char *, const char *);
 int      match_host_and_ip(const char *, const char *, const char *);
 int      match_user(const char *, const char *, const char *, const char *);
 char    *match_list(const char *, const char *, u_int *);
diff --git a/monitor.c b/monitor.c
index 6908a0a6b..d0ee4f7a6 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.147 2015/04/27 01:52:30 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.149 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1215,9 +1215,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
                         allowed = options.pubkey_authentication &&
                             !auth2_userkey_already_used(authctxt, key) &&
                             match_pattern_list(sshkey_ssh_name(key),
-                            options.pubkey_key_types,
-                            strlen(options.pubkey_key_types), 0) == 1 &&
-                            user_key_allowed(authctxt->pw, key);
+                            options.pubkey_key_types, 0) == 1 &&
+                            user_key_allowed(authctxt->pw, key,
+                            pubkey_auth_attempt);
                         pubkey_auth_info(authctxt, key, NULL);
                         auth_method = "publickey";
                         if (options.pubkey_authentication && allowed != 1)
@@ -1226,8 +1226,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
                 case MM_HOSTKEY:
                         allowed = options.hostbased_authentication &&
                             match_pattern_list(sshkey_ssh_name(key),
-                            options.hostbased_key_types,
-                            strlen(options.hostbased_key_types), 0) == 1 &&
+                            options.hostbased_key_types, 0) == 1 &&
                             hostbased_key_allowed(authctxt->pw,
                             cuser, chost, key);
                         pubkey_auth_info(authctxt, key,
diff --git a/readconf.c b/readconf.c
index 66090e305..f40ec8f22 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.234 2015/04/24 01:36:00 deraadt Exp $ */
+/* $OpenBSD: readconf.c,v 1.235 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -492,7 +492,6 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
         char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
         const char *ruser;
         int r, port, this_result, result = 1, attributes = 0, negate;
-        size_t len;
         char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
 
         /*
@@ -545,25 +544,24 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
                         result = -1;
                         goto out;
                 }
-                len = strlen(arg);
                 if (strcasecmp(attrib, "host") == 0) {
                         criteria = xstrdup(host);
-                        r = match_hostname(host, arg, len) == 1;
+                        r = match_hostname(host, arg) == 1;
                         if (r == (negate ? 1 : 0))
                                 this_result = result = 0;
                 } else if (strcasecmp(attrib, "originalhost") == 0) {
                         criteria = xstrdup(original_host);
-                        r = match_hostname(original_host, arg, len) == 1;
+                        r = match_hostname(original_host, arg) == 1;
                         if (r == (negate ? 1 : 0))
                                 this_result = result = 0;
                 } else if (strcasecmp(attrib, "user") == 0) {
                         criteria = xstrdup(ruser);
-                        r = match_pattern_list(ruser, arg, len, 0) == 1;
+                        r = match_pattern_list(ruser, arg, 0) == 1;
                         if (r == (negate ? 1 : 0))
                                 this_result = result = 0;
                 } else if (strcasecmp(attrib, "localuser") == 0) {
                         criteria = xstrdup(pw->pw_name);
-                        r = match_pattern_list(pw->pw_name, arg, len, 0) == 1;
+                        r = match_pattern_list(pw->pw_name, arg, 0) == 1;
                         if (r == (negate ? 1 : 0))
                                 this_result = result = 0;
                 } else if (strcasecmp(attrib, "exec") == 0) {
@@ -665,8 +663,8 @@ parse_token(const char *cp, const char *filename, int linenum,
         for (i = 0; keywords[i].name; i++)
                 if (strcmp(cp, keywords[i].name) == 0)
                         return keywords[i].opcode;
-        if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
-            strlen(ignored_unknown), 1) == 1)
+        if (ignored_unknown != NULL &&
+            match_pattern_list(cp, ignored_unknown, 1) == 1)
                 return oIgnoredUnknownOption;
         error("%s: line %d: Bad configuration option: %s",
             filename, linenum, cp);
diff --git a/servconf.c b/servconf.c
index 29457b833..c0291947b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,4 @@
-
-/* $OpenBSD: servconf.c,v 1.266 2015/04/29 03:48:56 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.269 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -754,7 +753,6 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 {
         int result = 1, attributes = 0, port;
         char *arg, *attrib, *cp = *condition;
-        size_t len;
 
         if (ci == NULL)
                 debug3("checking syntax for 'Match %s'", cp);
@@ -781,13 +779,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
                         error("Missing Match criteria for %s", attrib);
                         return -1;
                 }
-                len = strlen(arg);
                 if (strcasecmp(attrib, "user") == 0) {
                         if (ci == NULL || ci->user == NULL) {
                                 result = 0;
                                 continue;
                         }
-                        if (match_pattern_list(ci->user, arg, len, 0) != 1)
+                        if (match_pattern_list(ci->user, arg, 0) != 1)
                                 result = 0;
                         else
                                 debug("user %.100s matched 'User %.100s' at "
@@ -808,7 +805,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
                                 result = 0;
                                 continue;
                         }
-                        if (match_hostname(ci->host, arg, len) != 1)
+                        if (match_hostname(ci->host, arg) != 1)
                                 result = 0;
                         else
                                 debug("connection from %.100s matched 'Host "
diff --git a/ssh.c b/ssh.c
index ae4092544..3fd5a941f 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.417 2015/04/17 13:16:48 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.418 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -356,10 +356,8 @@ check_follow_cname(char **namep, const char *cname)
         debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname);
         for (i = 0; i < options.num_permitted_cnames; i++) {
                 rule = options.permitted_cnames + i;
-                if (match_pattern_list(*namep, rule->source_list,
-                    strlen(rule->source_list), 1) != 1 ||
-                    match_pattern_list(cname, rule->target_list,
-                    strlen(rule->target_list), 1) != 1)
+                if (match_pattern_list(*namep, rule->source_list, 1) != 1 ||
+                    match_pattern_list(cname, rule->target_list, 1) != 1)
                         continue;
                 verbose("Canonicalized DNS aliased hostname "
                     "\"%s\" => \"%s\"", *namep, cname);
diff --git a/sshconnect2.c b/sshconnect2.c
index ba56f6433..fcaed6b01 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.223 2015/01/30 11:43:14 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1610,8 +1610,7 @@ userauth_hostbased(Authctxt *authctxt)
                                 continue;
                         if (match_pattern_list(
                             sshkey_ssh_name(authctxt->sensitive->keys[i]),
-                            authctxt->active_ktype,
-                            strlen(authctxt->active_ktype), 0) != 1)
+                            authctxt->active_ktype, 0) != 1)
                                 continue;
                         /* we take and free the key */
                         private = authctxt->sensitive->keys[i];
diff --git a/sshkey.c b/sshkey.c
index a36004671..83985ca54 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -251,7 +251,7 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
                                         if (kt->type == KEY_RSA1)
                                                 continue;
                                         if (match_pattern_list(kt->name,
-                                            p, strlen(p), 0) != 0)
+                                            p, 0) != 0)
                                                 break;
                                 }
                                 if (kt->type != -1)