summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/ssh-keyscan.c
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2022-08-19 04:02:47 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2022-08-19 04:02:47 +0000
commit4bc5fccc940c08d47e4a84b40c1d298fd6f5beb8 (patch)
tree4e3fc9fbcb4fa187cbf93c268a218c45d461b477 /usr.bin/ssh/ssh-keyscan.c
parentb2959c4230bbfd73e82bb58ee4d5efd83d605aad (diff)
Strictly enforce the maximum allowed SSH2 banner size in ssh-keyscan
and prevent a one-byte buffer overflow. Patch from Qualys, ok djm@
Diffstat (limited to 'usr.bin/ssh/ssh-keyscan.c')
-rw-r--r--usr.bin/ssh/ssh-keyscan.c16
1 files changed, 15 insertions, 1 deletions
diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 1b75bbefc34..225884e2180 100644
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@@ -470,6 +470,15 @@ congreet(int s)
return;
}
+ /*
+ * Read the server banner as per RFC4253 section 4.2. The "SSH-"
+ * protocol identification string may be preceeded by an arbitarily
+ * large banner which we must read and ignore. Loop while reading
+ * newline-terminated lines until we have one starting with "SSH-".
+ * The ID string cannot be longer than 255 characters although the
+ * preceeding banner lines may (in which case they'll be discarded
+ * in multiple iterations of the outer loop).
+ */
for (;;) {
memset(buf, '\0', sizeof(buf));
bufsiz = sizeof(buf);
@@ -497,6 +506,11 @@ congreet(int s)
conrecycle(s);
return;
}
+ if (cp >= buf + sizeof(buf)) {
+ error("%s: greeting exceeds allowable length", c->c_name);
+ confree(s);
+ return;
+ }
if (*cp != '\n' && *cp != '\r') {
error("%s: bad greeting", c->c_name);
confree(s);