Bugzilla – Attachment 1591 Details for
Bug 1380
incorrect check for strlen(fwd->connect_host) in parse_forward()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
make c->path dynamic and nuke SSH_CHANNEL_PATH_LEN
cpath-dynamic.diff (text/plain), 5.43 KB, created by
Damien Miller
on 2009-01-14 12:58:18 AEDT
(
hide
)
Description:
make c->path dynamic and nuke SSH_CHANNEL_PATH_LEN
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2009-01-14 12:58:18 AEDT
Size:
5.43 KB
patch
obsolete
>Index: channels.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/channels.h,v >retrieving revision 1.96 >diff -u -p -r1.96 channels.h >--- channels.h 15 Jun 2008 20:06:26 -0000 1.96 >+++ channels.h 14 Jan 2009 01:55:20 -0000 >@@ -55,8 +55,6 @@ > #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ > #define SSH_CHANNEL_MAX_TYPE 15 > >-#define SSH_CHANNEL_PATH_LEN 256 >- > struct Channel; > typedef struct Channel Channel; > >@@ -104,7 +102,7 @@ struct Channel { > Buffer output; /* data received over encrypted connection for > * send on socket */ > Buffer extended; >- char path[SSH_CHANNEL_PATH_LEN]; >+ char *path; > /* path for unix domain sockets, or host name for forwards */ > int listening_port; /* port being listened for forwards */ > int host_port; /* remote port to connect for forwards */ >Index: channels.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/channels.c,v >retrieving revision 1.292 >diff -u -p -r1.292 channels.c >--- channels.c 14 Jan 2009 01:38:06 -0000 1.292 >+++ channels.c 14 Jan 2009 01:55:20 -0000 >@@ -291,6 +291,7 @@ channel_new(char *ctype, int type, int r > buffer_init(&c->input); > buffer_init(&c->output); > buffer_init(&c->extended); >+ c->path = NULL; > c->ostate = CHAN_OUTPUT_OPEN; > c->istate = CHAN_INPUT_OPEN; > c->flags = 0; >@@ -397,6 +398,10 @@ channel_free(Channel *c) > xfree(c->remote_name); > c->remote_name = NULL; > } >+ if (c->path) { >+ xfree(c->path); >+ c->path = NULL; >+ } > while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { > if (cc->abandon_cb != NULL) > cc->abandon_cb(c, cc->ctx); >@@ -1032,7 +1037,7 @@ channel_decode_socks4(Channel *c, fd_set > > if (need == 1) { /* SOCKS4: one string */ > host = inet_ntoa(s4_req.dest_addr); >- strlcpy(c->path, host, sizeof(c->path)); >+ c->path = xstrdup(host); > } else { /* SOCKS4A: two strings */ > have = buffer_len(&c->input); > p = buffer_ptr(&c->input); >@@ -1043,11 +1048,12 @@ channel_decode_socks4(Channel *c, fd_set > if (len > have) > fatal("channel %d: decode socks4a: len %d > have %d", > c->self, len, have); >- if (strlcpy(c->path, p, sizeof(c->path)) >= sizeof(c->path)) { >+ if (len > NI_MAXHOST) { > error("channel %d: hostname \"%.100s\" too long", > c->self, p); > return -1; > } >+ c->path = xstrdup(p); > buffer_consume(&c->input, len); > } > c->host_port = ntohs(s4_req.dest_port); >@@ -1088,7 +1094,7 @@ channel_decode_socks5(Channel *c, fd_set > u_int8_t atyp; > } s5_req, s5_rsp; > u_int16_t dest_port; >- u_char *p, dest_addr[255+1]; >+ u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; > u_int have, need, i, found, nmethods, addrlen, af; > > debug2("channel %d: decode socks5", c->self); >@@ -1161,10 +1167,18 @@ channel_decode_socks5(Channel *c, fd_set > buffer_get(&c->input, (char *)&dest_addr, addrlen); > buffer_get(&c->input, (char *)&dest_port, 2); > dest_addr[addrlen] = '\0'; >- if (s5_req.atyp == SSH_SOCKS5_DOMAIN) >- strlcpy(c->path, (char *)dest_addr, sizeof(c->path)); >- else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) >- return -1; >+ if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { >+ if (addrlen > NI_MAXHOST - 1) { >+ error("channel %d: dynamic request: socks5 hostname " >+ "\"%.100s\" too long", c->self, dest_addr); >+ return -1; >+ } >+ c->path = xstrdup(dest_addr); >+ } else { >+ if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) >+ return -1; >+ c->path = xstrdup(ntop); >+ } > c->host_port = ntohs(dest_port); > > debug2("channel %d: dynamic request: socks5 host %s port %u command %u", >@@ -1393,7 +1407,7 @@ channel_post_port_listener(Channel *c, f > c->local_window_max, c->local_maxpacket, 0, rtype, 1); > nc->listening_port = c->listening_port; > nc->host_port = c->host_port; >- strlcpy(nc->path, c->path, sizeof(nc->path)); >+ nc->path = xstrdup(c->path); > > if (nextstate == SSH_CHANNEL_DYNAMIC) { > /* >@@ -2432,7 +2446,7 @@ channel_setup_fwd_listener(int type, con > error("No forward host name."); > return 0; > } >- if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { >+ if (strlen(host) > NI_MAXHOST) { > error("Forward host name too long."); > return 0; > } >@@ -2529,7 +2543,7 @@ channel_setup_fwd_listener(int type, con > c = channel_new("port listener", type, sock, sock, -1, > CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, > 0, "port listener", 1); >- strlcpy(c->path, host, sizeof(c->path)); >+ c->path = xstrdup(host); > c->host_port = port_to_connect; > c->listening_port = listen_port; > success = 1; >@@ -2551,8 +2565,7 @@ channel_cancel_rport_listener(const char > Channel *c = channels[i]; > > if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && >- strncmp(c->path, host, sizeof(c->path)) == 0 && >- c->listening_port == port) { >+ strcmp(c->path, host) == 0 && c->listening_port == port) { > debug2("%s: close channel %d", __func__, i); > channel_free(c); > found = 1; >Index: session.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/session.c,v >retrieving revision 1.244 >diff -u -p -r1.244 session.c >--- session.c 9 Nov 2008 12:34:47 -0000 1.244 >+++ session.c 14 Jan 2009 01:55:21 -0000 >@@ -221,7 +221,7 @@ auth_input_request_forwarding(struct pas > SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, > CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, > 0, "auth socket", 1); >- strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); >+ nc->path = xstrdup(auth_sock_name); > return 1; > > authsock_err:
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1380
:
1367
|
1539
|
1540
| 1591