From b59d4fe8b505f98f1a95da369c0f4c51b642e042 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 15 Mar 2006 11:30:38 +1100
Subject:    - djm@cvs.openbsd.org 2006/02/12 10:44:18      [readconf.c]     
 raise error when the user specifies a RekeyLimit that is smaller than 16     
 (the smallest of our cipher's blocksize) or big enough to cause integer     
 wraparound; ok & feedback dtucker@

---
 ChangeLog  |  7 ++++++-
 readconf.c | 29 ++++++++++++++++++++++-------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 380b952b8..f8e857153 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,11 @@
      add a %l expansion code to the ControlPath, which is filled in with the
      local hostname at runtime. Requested by henning@ to avoid some problems
      with /home on NFS; ok dtucker@
+   - djm@cvs.openbsd.org 2006/02/12 10:44:18
+     [readconf.c]
+     raise error when the user specifies a RekeyLimit that is smaller than 16
+     (the smallest of our cipher's blocksize) or big enough to cause integer
+     wraparound; ok & feedback dtucker@
 
 20060313
  - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
@@ -3975,4 +3980,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4160 2006/03/15 00:30:13 djm Exp $
+$Id: ChangeLog,v 1.4161 2006/03/15 00:30:38 djm Exp $
diff --git a/readconf.c b/readconf.c
index 1fbf59793..bc5cf6188 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.146 2006/02/12 10:44:18 djm Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -306,7 +306,8 @@ process_config_line(Options *options, const char *host,
 		    int *activep)
 {
 	char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
-	int opcode, *intptr, value, value2;
+	int opcode, *intptr, value, value2, scale;
+	long long orig, val64;
 	size_t len;
 	Forward fwd;
 
@@ -479,22 +480,36 @@ parse_yesnoask:
 			fatal("%.200s line %d: Missing argument.", filename, linenum);
 		if (arg[0] < '0' || arg[0] > '9')
 			fatal("%.200s line %d: Bad number.", filename, linenum);
-		value = strtol(arg, &endofnumber, 10);
+		orig = val64 = strtoll(arg, &endofnumber, 10);
 		if (arg == endofnumber)
 			fatal("%.200s line %d: Bad number.", filename, linenum);
 		switch (toupper(*endofnumber)) {
+		case '\0':
+			scale = 1;
+			break;
 		case 'K':
-			value *= 1<<10;
+			scale = 1<<10;
 			break;
 		case 'M':
-			value *= 1<<20;
+			scale = 1<<20;
 			break;
 		case 'G':
-			value *= 1<<30;
+			scale = 1<<30;
 			break;
+		default:
+			fatal("%.200s line %d: Invalid RekeyLimit suffix",
+			    filename, linenum);
 		}
+		val64 *= scale;
+		/* detect integer wrap and too-large limits */
+		if ((val64 / scale) != orig || val64 > INT_MAX)
+			fatal("%.200s line %d: RekeyLimit too large",
+			    filename, linenum);
+		if (val64 < 16)
+			fatal("%.200s line %d: RekeyLimit too small",
+			    filename, linenum);
 		if (*activep && *intptr == -1)
-			*intptr = value;
+			*intptr = (int)val64;
 		break;
 
 	case oIdentityFile:
-- 
cgit v1.2.3