summaryrefslogtreecommitdiff
path: root/sftp-client.c
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2019-01-23 08:01:46 +0000
committerColin Watson <cjwatson@debian.org>2019-02-08 15:38:28 +0000
commit11b88754cadcad0ba79b4ffcc127223248dccb54 (patch)
tree2c9793f792675bc79de7f7a3bcae66cdfaa719ca /sftp-client.c
parentdee21e97428e69d30e2d15c71f3e7cc08bf8e4f8 (diff)
upstream: Sanitize scp filenames via snmprintf. To do this we move
the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@ OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 CVE-2019-6109 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c Bug-Debian: https://bugs.debian.org/793412 Last-Update: 2019-02-08 Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
Diffstat (limited to 'sftp-client.c')
-rw-r--r--sftp-client.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/sftp-client.c b/sftp-client.c
index 4986d6d8d..2bc698f86 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
101{ 101{
102 struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; 102 struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
103 103
104 bandwidth_limit(bwlimit, amount); 104 refresh_progress_meter();
105 if (bwlimit != NULL)
106 bandwidth_limit(bwlimit, amount);
105 return 0; 107 return 0;
106} 108}
107 109
@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
121 iov[1].iov_base = (u_char *)sshbuf_ptr(m); 123 iov[1].iov_base = (u_char *)sshbuf_ptr(m);
122 iov[1].iov_len = sshbuf_len(m); 124 iov[1].iov_len = sshbuf_len(m);
123 125
124 if (atomiciov6(writev, conn->fd_out, iov, 2, 126 if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
125 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != 127 conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
126 sshbuf_len(m) + sizeof(mlen)) 128 sshbuf_len(m) + sizeof(mlen))
127 fatal("Couldn't send packet: %s", strerror(errno)); 129 fatal("Couldn't send packet: %s", strerror(errno));
128 130
@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
138 140
139 if ((r = sshbuf_reserve(m, 4, &p)) != 0) 141 if ((r = sshbuf_reserve(m, 4, &p)) != 0)
140 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 142 fatal("%s: buffer error: %s", __func__, ssh_err(r));
141 if (atomicio6(read, conn->fd_in, p, 4, 143 if (atomicio6(read, conn->fd_in, p, 4, sftpio,
142 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) { 144 conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
143 if (errno == EPIPE || errno == ECONNRESET) 145 if (errno == EPIPE || errno == ECONNRESET)
144 fatal("Connection closed"); 146 fatal("Connection closed");
145 else 147 else
@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
157 159
158 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) 160 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
159 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 161 fatal("%s: buffer error: %s", __func__, ssh_err(r));
160 if (atomicio6(read, conn->fd_in, p, msg_len, 162 if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
161 conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) 163 conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
162 != msg_len) { 164 != msg_len) {
163 if (errno == EPIPE) 165 if (errno == EPIPE)
164 fatal("Connection closed"); 166 fatal("Connection closed");