diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-06-13 12:13:59 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-06-13 22:15:08 +1000 |
| commit | c948030d54911b2d3cddb96a7a8e9269e15d11cd (patch) | |
| tree | ea8ebe00517d8e6ef5b11c8ba19d7401cb5dff5f /kex.c | |
| parent | 6026f48dfca78b713e4a7f681ffa42a0afe0929e (diff) | |
upstream commit
Do not require that unknown EXT_INFO extension values not
contain \0 characters. This would cause fatal connection errors if an
implementation sent e.g. string-encoded sub-values inside a value.
Reported by Denis Bider; ok markus@
Upstream-ID: 030e10fdc605563c040244c4b4f1d8ae75811a5c
Diffstat (limited to 'kex.c')
| -rw-r--r-- | kex.c | 18 |
1 files changed, 13 insertions, 5 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: kex.c,v 1.133 2017/05/30 14:23:52 markus Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.134 2017/06/13 12:13:59 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -378,7 +378,9 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) | |||
| 378 | { | 378 | { |
| 379 | struct kex *kex = ssh->kex; | 379 | struct kex *kex = ssh->kex; |
| 380 | u_int32_t i, ninfo; | 380 | u_int32_t i, ninfo; |
| 381 | char *name, *val, *found; | 381 | char *name, *found; |
| 382 | u_char *val; | ||
| 383 | size_t vlen; | ||
| 382 | int r; | 384 | int r; |
| 383 | 385 | ||
| 384 | debug("SSH2_MSG_EXT_INFO received"); | 386 | debug("SSH2_MSG_EXT_INFO received"); |
| @@ -388,12 +390,17 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) | |||
| 388 | for (i = 0; i < ninfo; i++) { | 390 | for (i = 0; i < ninfo; i++) { |
| 389 | if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) | 391 | if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) |
| 390 | return r; | 392 | return r; |
| 391 | if ((r = sshpkt_get_cstring(ssh, &val, NULL)) != 0) { | 393 | if ((r = sshpkt_get_string(ssh, &val, &vlen)) != 0) { |
| 392 | free(name); | 394 | free(name); |
| 393 | return r; | 395 | return r; |
| 394 | } | 396 | } |
| 395 | debug("%s: %s=<%s>", __func__, name, val); | ||
| 396 | if (strcmp(name, "server-sig-algs") == 0) { | 397 | if (strcmp(name, "server-sig-algs") == 0) { |
| 398 | /* Ensure no \0 lurking in value */ | ||
| 399 | if (memchr(val, '\0', vlen) != NULL) { | ||
| 400 | error("%s: nul byte in %s", __func__, name); | ||
| 401 | return SSH_ERR_INVALID_FORMAT; | ||
| 402 | } | ||
| 403 | debug("%s: %s=<%s>", __func__, name, val); | ||
| 397 | found = match_list("rsa-sha2-256", val, NULL); | 404 | found = match_list("rsa-sha2-256", val, NULL); |
| 398 | if (found) { | 405 | if (found) { |
| 399 | kex->rsa_sha2 = 256; | 406 | kex->rsa_sha2 = 256; |
| @@ -404,7 +411,8 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) | |||
| 404 | kex->rsa_sha2 = 512; | 411 | kex->rsa_sha2 = 512; |
| 405 | free(found); | 412 | free(found); |
| 406 | } | 413 | } |
| 407 | } | 414 | } else |
| 415 | debug("%s: %s (unrecognised)", __func__, name); | ||
| 408 | free(name); | 416 | free(name); |
| 409 | free(val); | 417 | free(val); |
| 410 | } | 418 | } |