diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-05-22 04:45:52 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-05-22 20:02:18 +1000 |
| commit | 0882332616e4f0272c31cc47bf2018f9cb258a4e (patch) | |
| tree | b4121076bd70e652c3e6d3f0b230ce98ba6e5d6a | |
| parent | d7c31da4d42c115843edee2074d7d501f8804420 (diff) | |
upstream commit
Reorder EscapeChar option parsing to avoid a single-byte
out- of-bounds read. bz#2396 from Jaak Ristioja; ok dtucker@
Upstream-ID: 1dc6b5b63d1c8d9a88619da0b27ade461d79b060
| -rw-r--r-- | readconf.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/readconf.c b/readconf.c index f40ec8f22..47125aea6 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: readconf.c,v 1.235 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.236 2015/05/22 04:45:52 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -1236,13 +1236,13 @@ parse_int: | |||
| 1236 | arg = strdelim(&s); | 1236 | arg = strdelim(&s); |
| 1237 | if (!arg || *arg == '\0') | 1237 | if (!arg || *arg == '\0') |
| 1238 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1238 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
| 1239 | if (arg[0] == '^' && arg[2] == 0 && | 1239 | if (strcmp(arg, "none") == 0) |
| 1240 | value = SSH_ESCAPECHAR_NONE; | ||
| 1241 | else if (arg[1] == '\0') | ||
| 1242 | value = (u_char) arg[0]; | ||
| 1243 | else if (arg[0] == '^' && arg[2] == 0 && | ||
| 1240 | (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) | 1244 | (u_char) arg[1] >= 64 && (u_char) arg[1] < 128) |
| 1241 | value = (u_char) arg[1] & 31; | 1245 | value = (u_char) arg[1] & 31; |
| 1242 | else if (strlen(arg) == 1) | ||
| 1243 | value = (u_char) arg[0]; | ||
| 1244 | else if (strcmp(arg, "none") == 0) | ||
| 1245 | value = SSH_ESCAPECHAR_NONE; | ||
| 1246 | else { | 1246 | else { |
| 1247 | fatal("%.200s line %d: Bad escape character.", | 1247 | fatal("%.200s line %d: Bad escape character.", |
| 1248 | filename, linenum); | 1248 | filename, linenum); |