diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2019-01-23 08:01:46 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2019-02-08 15:38:28 +0000 |
| commit | 11b88754cadcad0ba79b4ffcc127223248dccb54 (patch) | |
| tree | 2c9793f792675bc79de7f7a3bcae66cdfaa719ca /sftp-client.c | |
| parent | dee21e97428e69d30e2d15c71f3e7cc08bf8e4f8 (diff) | |
upstream: Sanitize scp filenames via snmprintf. To do this we move
the progressmeter formatting outside of signal handler context and have the
atomicio callback called for EINTR too. bz#2434 with contributions from djm
and jjelen at redhat.com, ok djm@
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
CVE-2019-6109
Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
Bug-Debian: https://bugs.debian.org/793412
Last-Update: 2019-02-08
Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
Diffstat (limited to 'sftp-client.c')
| -rw-r--r-- | sftp-client.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/sftp-client.c b/sftp-client.c index 4986d6d8d..2bc698f86 100644 --- a/sftp-client.c +++ b/sftp-client.c | |||
| @@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount) | |||
| 101 | { | 101 | { |
| 102 | struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; | 102 | struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; |
| 103 | 103 | ||
| 104 | bandwidth_limit(bwlimit, amount); | 104 | refresh_progress_meter(); |
| 105 | if (bwlimit != NULL) | ||
| 106 | bandwidth_limit(bwlimit, amount); | ||
| 105 | return 0; | 107 | return 0; |
| 106 | } | 108 | } |
| 107 | 109 | ||
| @@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m) | |||
| 121 | iov[1].iov_base = (u_char *)sshbuf_ptr(m); | 123 | iov[1].iov_base = (u_char *)sshbuf_ptr(m); |
| 122 | iov[1].iov_len = sshbuf_len(m); | 124 | iov[1].iov_len = sshbuf_len(m); |
| 123 | 125 | ||
| 124 | if (atomiciov6(writev, conn->fd_out, iov, 2, | 126 | if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio, |
| 125 | conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != | 127 | conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) != |
| 126 | sshbuf_len(m) + sizeof(mlen)) | 128 | sshbuf_len(m) + sizeof(mlen)) |
| 127 | fatal("Couldn't send packet: %s", strerror(errno)); | 129 | fatal("Couldn't send packet: %s", strerror(errno)); |
| 128 | 130 | ||
| @@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) | |||
| 138 | 140 | ||
| 139 | if ((r = sshbuf_reserve(m, 4, &p)) != 0) | 141 | if ((r = sshbuf_reserve(m, 4, &p)) != 0) |
| 140 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 142 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 141 | if (atomicio6(read, conn->fd_in, p, 4, | 143 | if (atomicio6(read, conn->fd_in, p, 4, sftpio, |
| 142 | conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) { | 144 | conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) { |
| 143 | if (errno == EPIPE || errno == ECONNRESET) | 145 | if (errno == EPIPE || errno == ECONNRESET) |
| 144 | fatal("Connection closed"); | 146 | fatal("Connection closed"); |
| 145 | else | 147 | else |
| @@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) | |||
| 157 | 159 | ||
| 158 | if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) | 160 | if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) |
| 159 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 161 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 160 | if (atomicio6(read, conn->fd_in, p, msg_len, | 162 | if (atomicio6(read, conn->fd_in, p, msg_len, sftpio, |
| 161 | conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) | 163 | conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) |
| 162 | != msg_len) { | 164 | != msg_len) { |
| 163 | if (errno == EPIPE) | 165 | if (errno == EPIPE) |
| 164 | fatal("Connection closed"); | 166 | fatal("Connection closed"); |