Bugzilla – Attachment 1806 Details for
Bug 1565
ssh-keyscan doesn't like comment-lines
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to fix integer overflow in fgets() wrapper
ssh-keyscan.diff (text/plain), 4.60 KB, created by
Joachim Schipper
on 2010-03-07 08:56:52 AEDT
(
hide
)
Description:
Patch to fix integer overflow in fgets() wrapper
Filename:
MIME Type:
Creator:
Joachim Schipper
Created:
2010-03-07 08:56:52 AEDT
Size:
4.60 KB
patch
obsolete
>Index: ssh-keyscan.c >=================================================================== >RCS file: /usr/cvs/src/src/usr.bin/ssh/ssh-keyscan.c,v >retrieving revision 1.81 >diff -u -p -r1.81 ssh-keyscan.c >--- ssh-keyscan.c 9 Jan 2010 23:04:13 -0000 1.81 >+++ ssh-keyscan.c 6 Mar 2010 20:33:34 -0000 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: ssh-keyscan.c,v 1.78 2009/01/22 10:02:34 djm Exp $ */ >+/* $OpenBSD: ssh-keyscan.c,v 1.81 2010/01/09 23:04:13 dtucker Exp $ */ > /* > * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. > * >@@ -99,122 +99,6 @@ typedef struct Connection { > TAILQ_HEAD(conlist, Connection) tq; /* Timeout Queue */ > con *fdcon; > >-/* >- * This is just a wrapper around fgets() to make it usable. >- */ >- >-/* Stress-test. Increase this later. */ >-#define LINEBUF_SIZE 16 >- >-typedef struct { >- char *buf; >- u_int size; >- int lineno; >- const char *filename; >- FILE *stream; >- void (*errfun) (const char *,...); >-} Linebuf; >- >-static Linebuf * >-Linebuf_alloc(const char *filename, void (*errfun) (const char *,...)) >-{ >- Linebuf *lb; >- >- if (!(lb = malloc(sizeof(*lb)))) { >- if (errfun) >- (*errfun) ("linebuf (%s): malloc failed\n", >- filename ? filename : "(stdin)"); >- return (NULL); >- } >- if (filename) { >- lb->filename = filename; >- if (!(lb->stream = fopen(filename, "r"))) { >- xfree(lb); >- if (errfun) >- (*errfun) ("%s: %s\n", filename, strerror(errno)); >- return (NULL); >- } >- } else { >- lb->filename = "(stdin)"; >- lb->stream = stdin; >- } >- >- if (!(lb->buf = malloc((lb->size = LINEBUF_SIZE)))) { >- if (errfun) >- (*errfun) ("linebuf (%s): malloc failed\n", lb->filename); >- xfree(lb); >- return (NULL); >- } >- lb->errfun = errfun; >- lb->lineno = 0; >- return (lb); >-} >- >-static void >-Linebuf_free(Linebuf * lb) >-{ >- fclose(lb->stream); >- xfree(lb->buf); >- xfree(lb); >-} >- >-#if 0 >-static void >-Linebuf_restart(Linebuf * lb) >-{ >- clearerr(lb->stream); >- rewind(lb->stream); >- lb->lineno = 0; >-} >- >-static int >-Linebuf_lineno(Linebuf * lb) >-{ >- return (lb->lineno); >-} >-#endif >- >-static char * >-Linebuf_getline(Linebuf * lb) >-{ >- size_t n = 0; >- void *p; >- >- lb->lineno++; >- for (;;) { >- /* Read a line */ >- if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) { >- if (ferror(lb->stream) && lb->errfun) >- (*lb->errfun)("%s: %s\n", lb->filename, >- strerror(errno)); >- return (NULL); >- } >- n = strlen(lb->buf); >- >- /* Return it or an error if it fits */ >- if (n > 0 && lb->buf[n - 1] == '\n') { >- lb->buf[n - 1] = '\0'; >- return (lb->buf); >- } >- if (n != lb->size - 1) { >- if (lb->errfun) >- (*lb->errfun)("%s: skipping incomplete last line\n", >- lb->filename); >- return (NULL); >- } >- /* Double the buffer if we need more space */ >- lb->size *= 2; >- if ((p = realloc(lb->buf, lb->size)) == NULL) { >- lb->size /= 2; >- if (lb->errfun) >- (*lb->errfun)("linebuf (%s): realloc failed\n", >- lb->filename); >- return (NULL); >- } >- lb->buf = p; >- } >-} >- > static int > fdlim_get(int hard) > { >@@ -709,8 +593,10 @@ int > main(int argc, char **argv) > { > int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO; >- int opt, fopt_count = 0; >- char *tname; >+ int opt, fopt_count = 0, j; >+ char *tname, *line; >+ size_t i, line_len; >+ FILE *fp; > > extern int optind; > extern char *optarg; >@@ -808,20 +694,52 @@ main(int argc, char **argv) > read_wait_nfdset = howmany(maxfd, NFDBITS); > read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask)); > >- if (fopt_count) { >- Linebuf *lb; >- char *line; >- int j; >- >- for (j = 0; j < fopt_count; j++) { >- lb = Linebuf_alloc(argv[j], error); >- if (!lb) >+ line = NULL; >+ >+ for (j = 0; j < fopt_count; j++) { >+ if (line == NULL) >+ line = xmalloc(line_len = BUFSIZ); >+ >+ if ((fp = fopen(argv[j], "r")) == NULL) >+ fatal("%s: %s: %s", __progname, argv[j], >+ strerror(errno)); >+ >+ i = 0; >+ while (fgets(&line[i], line_len - i, fp)) { >+ /* Read a line */ >+ i += strcspn(&line[i], "\n"); >+ if (line[i] == '\0' && i == line_len - 1) { >+ if (line_len > SIZE_MAX / 2) >+ fatal("%s: %s: line %.20s too long", >+ __progname, argv[j], line); >+ line = xrealloc(line, line_len *= 2, 1); >+ continue; >+ } >+ >+ /* Strip off comments and whitespace at end */ >+ for (i = strcspn(line, "#\n"); >+ i > 0 && strchr(" \t", line[i - 1]); >+ i--); >+ line[i] = '\0'; >+ >+ /* Skip empty lines, comments */ >+ if (i == 0) > continue; >- while ((line = Linebuf_getline(lb)) != NULL) >- do_host(line); >- Linebuf_free(lb); >+ >+ do_host(line); >+ >+ i = 0; > } >+ >+ if (ferror(fp)) >+ fatal("%s: %s: %s", __progname, argv[j], >+ strerror(errno)); >+ >+ fclose(fp); > } >+ >+ if (line) >+ xfree(line); > > while (optind < argc) > do_host(argv[optind++]);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1806">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1565
:
1806
|
1868
|
1869
|
1870
|
1875