New upstream release (6.8p1).

1 files changed, 49 insertions, 8 deletions

diff --git a/sshbuf-getput-basic.c b/sshbuf-getput-basic.c
index b7d0758c2..8ff8a0a28 100644
--- a/sshbuf-getput-basic.c
+++ b/sshbuf-getput-basic.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshbuf-getput-basic.c,v 1.1 2014/04/30 05:29:56 djm Exp $     */
+/*      $OpenBSD: sshbuf-getput-basic.c,v 1.4 2015/01/14 15:02:39 djm Exp $     */
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -34,7 +34,7 @@ sshbuf_get(struct sshbuf *buf, void *v, size_t len)
 
         if ((r = sshbuf_consume(buf, len)) < 0)
                 return r;
-        if (v != NULL)
+        if (v != NULL && len != 0)
                 memcpy(v, p, len);
         return 0;
 }
@@ -109,7 +109,8 @@ sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp)
                         SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
                         return SSH_ERR_ALLOC_FAIL;
                 }
-                memcpy(*valp, val, len);
+                if (len != 0)
+                        memcpy(*valp, val, len);
                 (*valp)[len] = '\0';
         }
         if (lenp != NULL)
@@ -200,7 +201,8 @@ sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp)
                         SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
                         return SSH_ERR_ALLOC_FAIL;
                 }
-                memcpy(*valp, p, len);
+                if (len != 0)
+                        memcpy(*valp, p, len);
                 (*valp)[len] = '\0';
         }
         if (lenp != NULL)
@@ -236,7 +238,8 @@ sshbuf_put(struct sshbuf *buf, const void *v, size_t len)
 
         if ((r = sshbuf_reserve(buf, len, &p)) < 0)
                 return r;
-        memcpy(p, v, len);
+        if (len != 0)
+                memcpy(p, v, len);
         return 0;
 }
 
@@ -352,14 +355,15 @@ sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len)
         if ((r = sshbuf_reserve(buf, len + 4, &d)) < 0)
                 return r;
         POKE_U32(d, len);
-        memcpy(d + 4, v, len);
+        if (len != 0)
+                memcpy(d + 4, v, len);
         return 0;
 }
 
 int
 sshbuf_put_cstring(struct sshbuf *buf, const char *v)
 {
-        return sshbuf_put_string(buf, (u_char *)v, strlen(v));
+        return sshbuf_put_string(buf, (u_char *)v, v == NULL ? 0 : strlen(v));
 }
 
 int
@@ -416,6 +420,43 @@ sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len)
         POKE_U32(d, len + prepend);
         if (prepend)
                 d[4] = 0;
-        memcpy(d + 4 + prepend, s, len);
+        if (len != 0)
+                memcpy(d + 4 + prepend, s, len);
+        return 0;
+}
+
+int
+sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf,
+    const u_char **valp, size_t *lenp)
+{
+        const u_char *d;
+        size_t len, olen;
+        int r;
+
+        if ((r = sshbuf_peek_string_direct(buf, &d, &olen)) < 0)
+                return r;
+        len = olen;
+        /* Refuse negative (MSB set) bignums */
+        if ((len != 0 && (*d & 0x80) != 0))
+                return SSH_ERR_BIGNUM_IS_NEGATIVE;
+        /* Refuse overlong bignums, allow prepended \0 to avoid MSB set */
+        if (len > SSHBUF_MAX_BIGNUM + 1 ||
+            (len == SSHBUF_MAX_BIGNUM + 1 && *d != 0))
+                return SSH_ERR_BIGNUM_TOO_LARGE;
+        /* Trim leading zeros */
+        while (len > 0 && *d == 0x00) {
+                d++;
+                len--;
+        }
+        if (valp != 0)
+                *valp = d;
+        if (lenp != NULL)
+                *lenp = len;
+        if (sshbuf_consume(buf, olen + 4) != 0) {
+                /* Shouldn't happen */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
         return 0;
 }