add some functions to perform random-access read/write operations

inside buffers with bounds checking. Intended to replace manual
pointer arithmetic wherever possible.

feedback and ok markus@

2 files changed, 183 insertions, 3 deletions

diff --git a/usr.bin/ssh/sshbuf-getput-basic.c b/usr.bin/ssh/sshbuf-getput-basic.c
index 8d64d8dd9de..5e9ebbb0ced 100644
--- a/usr.bin/ssh/sshbuf-getput-basic.c
+++ b/usr.bin/ssh/sshbuf-getput-basic.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf-getput-basic.c,v 1.7 2017/06/01 04:51:58 djm Exp $	*/
+/*	$OpenBSD: sshbuf-getput-basic.c,v 1.8 2019/07/14 23:32:27 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -91,6 +91,93 @@ sshbuf_get_u8(struct sshbuf *buf, u_char *valp)
 	return 0;
 }
 
+static int
+check_offset(const struct sshbuf *buf, int wr, size_t offset, size_t len)
+{
+	if (sshbuf_ptr(buf) == NULL) /* calls sshbuf_check_sanity() */
+		return SSH_ERR_INTERNAL_ERROR;
+	if (offset >= SIZE_MAX - len)
+		return SSH_ERR_INVALID_ARGUMENT;
+	if (offset + len > sshbuf_len(buf)) {
+		return wr ?
+		    SSH_ERR_NO_BUFFER_SPACE : SSH_ERR_MESSAGE_INCOMPLETE;
+	}
+	return 0;
+}
+
+static int
+check_roffset(const struct sshbuf *buf, size_t offset, size_t len,
+    const u_char **p)
+{
+	int r;
+
+	*p = NULL;
+	if ((r = check_offset(buf, 0, offset, len)) != 0)
+		return r;
+	*p = sshbuf_ptr(buf) + offset;
+	return 0;
+}
+
+int
+sshbuf_peek_u64(const struct sshbuf *buf, size_t offset, u_int64_t *valp)
+{
+	const u_char *p = NULL;
+	int r;
+
+	if (valp != NULL)
+		*valp = 0;
+	if ((r = check_roffset(buf, offset, 8, &p)) != 0)
+		return r;
+	if (valp != NULL)
+		*valp = PEEK_U64(p);
+	return 0;
+}
+
+int
+sshbuf_peek_u32(const struct sshbuf *buf, size_t offset, u_int32_t *valp)
+{
+	const u_char *p = NULL;
+	int r;
+
+	if (valp != NULL)
+		*valp = 0;
+	if ((r = check_roffset(buf, offset, 4, &p)) != 0)
+		return r;
+	if (valp != NULL)
+		*valp = PEEK_U32(p);
+	return 0;
+}
+
+int
+sshbuf_peek_u16(const struct sshbuf *buf, size_t offset, u_int16_t *valp)
+{
+	const u_char *p = NULL;
+	int r;
+
+	if (valp != NULL)
+		*valp = 0;
+	if ((r = check_roffset(buf, offset, 2, &p)) != 0)
+		return r;
+	if (valp != NULL)
+		*valp = PEEK_U16(p);
+	return 0;
+}
+
+int
+sshbuf_peek_u8(const struct sshbuf *buf, size_t offset, u_char *valp)
+{
+	const u_char *p = NULL;
+	int r;
+
+	if (valp != NULL)
+		*valp = 0;
+	if ((r = check_roffset(buf, offset, 1, &p)) != 0)
+		return r;
+	if (valp != NULL)
+		*valp = *p;
+	return 0;
+}
+
 int
 sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp)
 {
@@ -342,6 +429,80 @@ sshbuf_put_u8(struct sshbuf *buf, u_char val)
 	return 0;
 }
 
+static int
+check_woffset(struct sshbuf *buf, size_t offset, size_t len, u_char **p)
+{
+	int r;
+
+	*p = NULL;
+	if ((r = check_offset(buf, 1, offset, len)) != 0)
+		return r;
+	if (sshbuf_mutable_ptr(buf) == NULL)
+		return SSH_ERR_BUFFER_READ_ONLY;
+	*p = sshbuf_mutable_ptr(buf) + offset;
+	return 0;
+}
+
+int
+sshbuf_poke_u64(struct sshbuf *buf, size_t offset, u_int64_t val)
+{
+	u_char *p = NULL;
+	int r;
+
+	if ((r = check_woffset(buf, offset, 8, &p)) != 0)
+		return r;
+	POKE_U64(p, val);
+	return 0;
+}
+
+int
+sshbuf_poke_u32(struct sshbuf *buf, size_t offset, u_int32_t val)
+{
+	u_char *p = NULL;
+	int r;
+
+	if ((r = check_woffset(buf, offset, 4, &p)) != 0)
+		return r;
+	POKE_U32(p, val);
+	return 0;
+}
+
+int
+sshbuf_poke_u16(struct sshbuf *buf, size_t offset, u_int16_t val)
+{
+	u_char *p = NULL;
+	int r;
+
+	if ((r = check_woffset(buf, offset, 2, &p)) != 0)
+		return r;
+	POKE_U16(p, val);
+	return 0;
+}
+
+int
+sshbuf_poke_u8(struct sshbuf *buf, size_t offset, u_char val)
+{
+	u_char *p = NULL;
+	int r;
+
+	if ((r = check_woffset(buf, offset, 1, &p)) != 0)
+		return r;
+	*p = val;
+	return 0;
+}
+
+int
+sshbuf_poke(struct sshbuf *buf, size_t offset, void *v, size_t len)
+{
+	u_char *p = NULL;
+	int r;
+
+	if ((r = check_woffset(buf, offset, len, &p)) != 0)
+		return r;
+	memcpy(p, v, len);
+	return 0;
+}
+
 int
 sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len)
 {
diff --git a/usr.bin/ssh/sshbuf.h b/usr.bin/ssh/sshbuf.h
index c4858867261..48a301e2c26 100644
--- a/usr.bin/ssh/sshbuf.h
+++ b/usr.bin/ssh/sshbuf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sshbuf.h,v 1.13 2019/01/21 09:54:11 djm Exp $	*/
+/*	$OpenBSD: sshbuf.h,v 1.14 2019/07/14 23:32:27 djm Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -172,6 +172,26 @@ int	sshbuf_put_u32(struct sshbuf *buf, u_int32_t val);
 int	sshbuf_put_u16(struct sshbuf *buf, u_int16_t val);
 int	sshbuf_put_u8(struct sshbuf *buf, u_char val);
 
+/* Functions to peek at the contents of a buffer without modifying it. */
+int	sshbuf_peek_u64(const struct sshbuf *buf, size_t offset,
+    u_int64_t *valp);
+int	sshbuf_peek_u32(const struct sshbuf *buf, size_t offset,
+    u_int32_t *valp);
+int	sshbuf_peek_u16(const struct sshbuf *buf, size_t offset,
+    u_int16_t *valp);
+int	sshbuf_peek_u8(const struct sshbuf *buf, size_t offset,
+    u_char *valp);
+
+/*
+ * Functions to poke values into an exisiting buffer (e.g. a length header
+ * to a packet). The destination bytes must already exist in the buffer.
+ */
+int sshbuf_poke_u64(struct sshbuf *buf, size_t offset, u_int64_t val);
+int sshbuf_poke_u32(struct sshbuf *buf, size_t offset, u_int32_t val);
+int sshbuf_poke_u16(struct sshbuf *buf, size_t offset, u_int16_t val);
+int sshbuf_poke_u8(struct sshbuf *buf, size_t offset, u_char val);
+int sshbuf_poke(struct sshbuf *buf, size_t offset, void *v, size_t len);
+
 /*
  * Functions to extract or store SSH wire encoded strings (u32 len || data)
  * The "cstring" variants admit no \0 characters in the string contents.
@@ -198,7 +218,6 @@ int	sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp,
 /* Another variant: "peeks" into the buffer without modifying it */
 int	sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
 	    size_t *lenp);
-/* XXX peek_u8 / peek_u32 */
 
 /*
  * Functions to extract or store SSH wire encoded bignums and elliptic