From 33678fc8b299d55717f34c94bad03f629f7c89a2 Mon Sep 17 00:00:00 2001 From: Markus Friedl Date: Fri, 14 Apr 2000 10:09:17 +0000 Subject: check payload for (illegal) extra data --- usr.bin/ssh/auth.c | 20 +++++++++++++++----- usr.bin/ssh/channels.c | 12 +++++++++++- usr.bin/ssh/clientloop.c | 3 ++- usr.bin/ssh/packet.c | 8 +++++++- usr.bin/ssh/packet.h | 15 ++++++++++++++- usr.bin/ssh/serverloop.c | 14 ++++++++------ usr.bin/ssh/session.c | 18 +++++++++++++----- usr.bin/ssh/sshconnect.c | 20 ++++++++++++++++---- 8 files changed, 86 insertions(+), 24 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index f33790da06e..b5677bf059c 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -5,7 +5,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.2 2000/04/06 08:55:22 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.3 2000/04/14 10:09:14 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -630,6 +630,7 @@ input_service_request(int type, int plen) unsigned int len; int accept = 0; char *service = packet_get_string(&len); + packet_done(); if (strcmp(service, "ssh-userauth") == 0) { if (!userauth_success) { @@ -672,6 +673,7 @@ input_userauth_request(int type, int plen) pw = auth_set_user(user, service); if (pw && strcmp(service, "ssh-connection")==0) { if (strcmp(method, "none") == 0 && try == 1) { + packet_done(); authenticated = auth_password(pw, ""); } else if (strcmp(method, "password") == 0) { char *password; @@ -679,16 +681,25 @@ input_userauth_request(int type, int plen) if (c) debug("password change not supported"); password = packet_get_string(&len); + packet_done(); authenticated = auth_password(pw, password); memset(password, 0, len); xfree(password); } else if (strcmp(method, "publickey") == 0) { /* XXX TODO */ - char *pkalg; - char *pkblob; - c = packet_get_char(); + char *pkalg, *pkblob, *sig; + int have_sig = packet_get_char(); pkalg = packet_get_string(&len); pkblob = packet_get_string(&len); + if (have_sig) { + sig = packet_get_string(&len); + /* test for correct signature */ + packet_done(); + xfree(sig); + } else { + packet_done(); + /* test whether pkalg/pkblob are acceptable */ + } xfree(pkalg); xfree(pkblob); } @@ -697,7 +708,6 @@ input_userauth_request(int type, int plen) if (authenticated) { /* turn off userauth */ dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); - /* success! */ packet_start(SSH2_MSG_USERAUTH_SUCCESS); packet_send(); packet_write_wait(); diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index c32999a0586..3a634bfb9da 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -17,7 +17,7 @@ */ #include "includes.h" -RCSID("$Id: channels.c,v 1.47 2000/04/10 15:19:43 markus Exp $"); +RCSID("$Id: channels.c,v 1.48 2000/04/14 10:09:14 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -540,8 +540,10 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) packet_put_int(newch); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); + /* target host and port */ packet_put_string(c->path, strlen(c->path)); packet_put_int(c->host_port); + /* originator host and port */ packet_put_cstring(remote_hostname); packet_put_int(remote_port); packet_send(); @@ -934,6 +936,7 @@ channel_input_data(int type, int plen) /* Get the data. */ data = packet_get_string(&data_len); + packet_done(); if (compat20){ if (data_len > c->local_maxpacket) { @@ -980,6 +983,7 @@ channel_input_extended_data(int type, int plen) return; } data = packet_get_string(&data_len); + packet_done(); if (data_len > c->local_window) { log("channel %d: rcvd too much extended_data %d, win %d", c->self, data_len, c->local_window); @@ -1093,6 +1097,7 @@ channel_input_close_confirmation(int type, int plen) int id = packet_get_int(); Channel *c = channel_lookup(id); + packet_done(); if (c == NULL) packet_disconnect("Received close confirmation for " "out-of-range channel %d.", id); @@ -1125,6 +1130,7 @@ channel_input_open_confirmation(int type, int plen) if (compat20) { c->remote_window = packet_get_int(); c->remote_maxpacket = packet_get_int(); + packet_done(); if (c->cb_fn != NULL && c->cb_event == type) { debug("callback start"); c->cb_fn(c->self, c->cb_arg); @@ -1153,8 +1159,11 @@ channel_input_open_failure(int type, int plen) if (compat20) { int reason = packet_get_int(); char *msg = packet_get_string(NULL); + char *lang = packet_get_string(NULL); log("channel_open_failure: %d: reason %d: %s", id, reason, msg); + packet_done(); xfree(msg); + xfree(lang); } /* Free the channel. This will also close the socket. */ channel_free(id); @@ -1204,6 +1213,7 @@ channel_input_window_adjust(int type, int plen) return; } adjust = packet_get_int(); + packet_done(); debug("channel %d: rcvd adjust %d", id, adjust); c->remote_window += adjust; } diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index cf6d3816445..0b21d519633 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -16,7 +16,7 @@ */ #include "includes.h" -RCSID("$Id: clientloop.c,v 1.18 2000/04/12 06:37:02 markus Exp $"); +RCSID("$Id: clientloop.c,v 1.19 2000/04/14 10:09:15 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -1027,6 +1027,7 @@ client_input_channel_req(int id, void *arg) } else if (strcmp(rtype, "exit-status") == 0) { success = 1; exit_status = packet_get_int(); + packet_done(); } if (reply) { packet_start(success ? diff --git a/usr.bin/ssh/packet.c b/usr.bin/ssh/packet.c index c6a462c045e..af8824f3641 100644 --- a/usr.bin/ssh/packet.c +++ b/usr.bin/ssh/packet.c @@ -17,7 +17,7 @@ */ #include "includes.h" -RCSID("$Id: packet.c,v 1.27 2000/04/12 09:39:10 markus Exp $"); +RCSID("$Id: packet.c,v 1.28 2000/04/14 10:09:15 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -1055,6 +1055,12 @@ packet_get_raw(int *length_ptr) return buffer_ptr(&incoming_packet); } +int +packet_remaining(void) +{ + return buffer_len(&incoming_packet); +} + /* * Returns a string from the packet data. The string is allocated using * xmalloc; it is the responsibility of the calling program to free it when diff --git a/usr.bin/ssh/packet.h b/usr.bin/ssh/packet.h index 51d4882f756..70fc0ddcdf4 100644 --- a/usr.bin/ssh/packet.h +++ b/usr.bin/ssh/packet.h @@ -13,7 +13,7 @@ * */ -/* RCSID("$Id: packet.h,v 1.13 2000/04/12 09:39:10 markus Exp $"); */ +/* RCSID("$Id: packet.h,v 1.14 2000/04/14 10:09:15 markus Exp $"); */ #ifndef PACKET_H #define PACKET_H @@ -196,6 +196,16 @@ do { \ } \ } while (0) +#define packet_done() \ +do { \ + int _len = packet_remaining(); \ + if (_len > 0) { \ + log("Packet integrity error (%d bytes remaining) at %s:%d", \ + _len ,__FILE__, __LINE__); \ + packet_disconnect("Packet integrity error."); \ + } \ +} while (0) + /* remote host is connected via a socket/ipv4 */ int packet_connection_is_on_socket(void); int packet_connection_is_ipv4(void); @@ -203,4 +213,7 @@ int packet_connection_is_ipv4(void); /* enable SSH2 packet format */ void packet_set_ssh2_format(void); +/* returns remaining payload bytes */ +int packet_remaining(void); + #endif /* PACKET_H */ diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 4cbb3ba39f5..72f6c2ac72a 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -684,16 +684,17 @@ int input_direct_tcpip(void) { int sock; - char *host, *originator; - int host_port, originator_port; + char *target, *originator; + int target_port, originator_port; - host = packet_get_string(NULL); - host_port = packet_get_int(); + target = packet_get_string(NULL); + target_port = packet_get_int(); originator = packet_get_string(NULL); originator_port = packet_get_int(); + packet_done(); /* XXX check permission */ - sock = channel_connect_to(host, host_port); - xfree(host); + sock = channel_connect_to(target, target_port); + xfree(target); xfree(originator); if (sock < 0) return -1; @@ -722,6 +723,7 @@ server_input_channel_open(int type, int plen) if (strcmp(ctype, "session") == 0) { debug("open session"); + packet_done(); /* * A server session has no fd to read or write * until a CHANNEL_REQUEST for a shell is made, diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index c98e65e3d58..3849dac6ee2 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -8,7 +8,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.2 2000/04/06 08:55:22 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.3 2000/04/14 10:09:16 markus Exp $"); #include "xmalloc.h" #include "ssh.h" @@ -1134,6 +1134,7 @@ session_window_change_req(Session *s) s->row = packet_get_int(); s->xpixel = packet_get_int(); s->ypixel = packet_get_int(); + packet_done(); pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); return 1; } @@ -1142,14 +1143,17 @@ int session_pty_req(Session *s) { unsigned int len; + char *term_modes; /* encoded terminal modes */ if (s->ttyfd != -1) - return -1; + return 0; s->term = packet_get_string(&len); s->col = packet_get_int(); s->row = packet_get_int(); s->xpixel = packet_get_int(); s->ypixel = packet_get_int(); + term_modes = packet_get_string(&len); + packet_done(); if (strcmp(s->term, "") == 0) { xfree(s->term); @@ -1162,7 +1166,8 @@ session_pty_req(Session *s) s->ptyfd = -1; s->ttyfd = -1; error("session_pty_req: session %d alloc failed", s->self); - return -1; + xfree(term_modes); + return 0; } debug("session_pty_req: session %d alloc %s", s->self, s->tty); /* @@ -1174,6 +1179,8 @@ session_pty_req(Session *s) /* Get window size from the packet. */ pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); + /* XXX parse and set terminal modes */ + xfree(term_modes); return 1; } @@ -1206,6 +1213,7 @@ session_input_channel_req(int id, void *arg) */ if (c->type == SSH_CHANNEL_LARVAL) { if (strcmp(rtype, "shell") == 0) { + packet_done(); if (s->ttyfd == -1) do_exec_no_pty(s, NULL, s->pw); else @@ -1213,6 +1221,7 @@ session_input_channel_req(int id, void *arg) success = 1; } else if (strcmp(rtype, "exec") == 0) { char *command = packet_get_string(&len); + packet_done(); if (s->ttyfd == -1) do_exec_no_pty(s, command, s->pw); else @@ -1220,8 +1229,7 @@ session_input_channel_req(int id, void *arg) xfree(command); success = 1; } else if (strcmp(rtype, "pty-req") == 0) { - if (session_pty_req(s) > 0) - success = 1; + success = session_pty_req(s); } } if (strcmp(rtype, "window-change") == 0) { diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 18d1c593234..cecd304c348 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.66 2000/04/12 09:39:10 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.67 2000/04/14 10:09:16 markus Exp $"); #include #include "xmalloc.h" @@ -1400,6 +1400,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) debug("first kex follow == %d", i); i = packet_get_int(); debug("reserved == %d", i); + packet_done(); debug("done read kexinit"); kex = kex_choose_conf(cprop, sprop, 0); @@ -1455,6 +1456,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) /* signed H */ signature = packet_get_string(&slen); + packet_done(); if (!dh_pub_is_valid(dh, dh_server_pub)) packet_disconnect("bad server public DH value"); @@ -1507,6 +1509,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) debug("Wait SSH2_MSG_NEWKEYS."); packet_read_expect(&payload_len, SSH2_MSG_NEWKEYS); + packet_done(); debug("GOT SSH2_MSG_NEWKEYS."); debug("send SSH2_MSG_NEWKEYS."); @@ -1540,7 +1543,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, char *server_user, *local_user; char *auths; char *password; - char *service = "ssh-connection"; // service name + char *service = "ssh-connection"; /* service name */ debug("send SSH2_MSG_SERVICE_REQUEST"); packet_start(SSH2_MSG_SERVICE_REQUEST); @@ -1552,8 +1555,15 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, if (type != SSH2_MSG_SERVICE_ACCEPT) { fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type); } - /* payload empty for ssh-2.0.13 ?? */ - /* reply = packet_get_string(&payload_len); */ + if (packet_remaining() > 0) { + char *reply = packet_get_string(&plen); + debug("service_accept: %s", reply); + xfree(reply); + } else { + /* payload empty for ssh-2.0.13 ?? */ + log("buggy server: service_accept w/o service"); + } + packet_done(); debug("got SSH2_MSG_SERVICE_ACCEPT"); /*XX COMMONCODE: */ @@ -1582,6 +1592,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, auths = packet_get_string(&dlen); debug("authentications that can continue: %s", auths); partial = packet_get_char(); + packet_done(); if (partial) debug("partial success"); if (strstr(auths, "password") == NULL) @@ -1602,6 +1613,7 @@ ssh_userauth2(int host_key_valid, RSA *own_host_key, packet_send(); packet_write_wait(); } + packet_done(); debug("ssh-userauth2 successfull"); } -- cgit v1.2.3