ports/libssh
ports/libssh
1
1
Форкнуть 0
Код Релизы 1 Активность

misc: fix error-checking in ssh_analyze_banner

Просмотр исходного кода 
Fix error-checking for `strtoul` in `ssh_analyze_banner`, and
enable some tests which demonstrate the fix before-and-after.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
Jon Simons 2017-07-11 19:23:39 -04:00 коммит произвёл Andreas Schneider
родитель a97db12f4f
Коммит a89a67e008
2 изменённых файлов: 18 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

25
src/misc.c
Просмотреть файл

@ -35,6 +35,7 @@
#endif /* _WIN32 */ #endif /* _WIN32 */
#include <errno.h>
#include <limits.h> #include <limits.h>
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
@ -845,7 +846,9 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
openssh = strstr(banner, "OpenSSH"); openssh = strstr(banner, "OpenSSH");
if (openssh != NULL) { if (openssh != NULL) {
unsigned int major, minor; char *tmp = NULL;
unsigned long int major = 0UL;
unsigned long int minor = 0UL;
/* /*
* The banner is typical: * The banner is typical:
@ -853,25 +856,33 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
* 012345678901234567890 * 012345678901234567890
*/ */
if (strlen(openssh) > 9) { if (strlen(openssh) > 9) {
major = strtoul(openssh + 8, (char **) NULL, 10); major = strtoul(openssh + 8, &tmp, 10);
if (major < 1 || major > 100) { if ((tmp == (openssh + 8)) ||
((errno == ERANGE) && (major == ULONG_MAX)) ||
((errno != 0) && (major == 0)) ||
((major < 1) || (major > 100))) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"Invalid major version number: %s", "Invalid major version number: %s",
banner); banner);
return -1; return -1;
} }
minor = strtoul(openssh + 10, (char **) NULL, 10);
if (minor > 100) { minor = strtoul(openssh + 10, &tmp, 10);
if ((tmp == (openssh + 10)) ||
((errno == ERANGE) && (major == ULONG_MAX)) ||
((errno != 0) && (major == 0)) ||
(minor > 100)) {
ssh_set_error(session, ssh_set_error(session,
SSH_FATAL, SSH_FATAL,
"Invalid minor version number: %s", "Invalid minor version number: %s",
banner); banner);
return -1; return -1;
} }
session->openssh = SSH_VERSION_INT(major, minor, 0); session->openssh = SSH_VERSION_INT(((int) major), ((int) minor), 0);
SSH_LOG(SSH_LOG_RARE, SSH_LOG(SSH_LOG_RARE,
"We are talking to an OpenSSH client version: %d.%d (%x)", "We are talking to an OpenSSH client version: %lu.%lu (%x)",
major, minor, session->openssh); major, minor, session->openssh);
} }
} }

2
tests/unittests/torture_misc.c
Просмотреть файл

@ -332,12 +332,10 @@ static void torture_ssh_analyze_banner(void **state) {
assert_server_banner_rejected("SSH-2.0-OpenSSH_X.9p1"); assert_server_banner_rejected("SSH-2.0-OpenSSH_X.9p1");
/* OpenSSH banners: bogus minor */ /* OpenSSH banners: bogus minor */
#if 0 /* these don't pass */
reset_banner_test(); reset_banner_test();
assert_server_banner_rejected("SSH-2.0-OpenSSH_5.Yp1"); assert_server_banner_rejected("SSH-2.0-OpenSSH_5.Yp1");
reset_banner_test(); reset_banner_test();
assert_client_banner_rejected("SSH-2.0-OpenSSH_5.Yp1"); assert_client_banner_rejected("SSH-2.0-OpenSSH_5.Yp1");
#endif /* these don't pass */
/* OpenSSH banners: ssh-keyscan(1) */ /* OpenSSH banners: ssh-keyscan(1) */
#if 0 /* these don't pass */ #if 0 /* these don't pass */