Attachment 2853 Details for Bug 2566 – revised diff

[patch] revised diff

packet.diff (text/plain), 1.56 KB, created by Damien Miller on 2016-07-18 16:09:39 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2016-07-18 16:09:39 AEST

Size: 1.56 KB

patch

obsolete

>Index: packet.c
>===================================================================
>RCS file: /cvs/src/usr.bin/ssh/packet.c,v
>retrieving revision 1.232
>diff -u -p -r1.232 packet.c
>--- packet.c	15 Jul 2016 05:01:58 -0000	1.232
>+++ packet.c	18 Jul 2016 06:05:10 -0000
>@@ -1160,7 +1160,7 @@ ssh_packet_send2_wrapped(struct ssh *ssh
> {
> 	struct session_state *state = ssh->state;
> 	u_char type, *cp, macbuf[SSH_DIGEST_MAX_LENGTH];
>-	u_char padlen, pad = 0;
>+	u_char tmp, padlen, pad = 0;
> 	u_int authlen = 0, aadlen = 0;
> 	u_int len;
> 	struct sshenc *enc   = NULL;
>@@ -1218,14 +1218,24 @@ ssh_packet_send2_wrapped(struct ssh *ssh
> 	if (padlen < 4)
> 		padlen += block_size;
> 	if (state->extra_pad) {
>-		/* will wrap if extra_pad+padlen > 255 */
>+		tmp = state->extra_pad;
> 		state->extra_pad =
> 		    roundup(state->extra_pad, block_size);
>-		pad = state->extra_pad -
>-		    ((len + padlen) % state->extra_pad);
>+		/* check if roundup overflowed */
>+		if (state->extra_pad < tmp)
>+			return SSH_ERR_INVALID_ARGUMENT;
>+		tmp = (len + padlen) % state->extra_pad;
>+		/* Check whether pad calculation below will underflow */
>+		if (tmp > state->extra_pad)
>+			return SSH_ERR_INVALID_ARGUMENT;
>+		pad = state->extra_pad - tmp;
> 		DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
> 		    __func__, pad, len, padlen, state->extra_pad));
>+		tmp = padlen;
> 		padlen += pad;
>+		/* Check whether padlen calculation overflowed */
>+		if (padlen < tmp)
>+			return SSH_ERR_INVALID_ARGUMENT; /* overflow */
> 		state->extra_pad = 0;
> 	}
> 	if ((r = sshbuf_reserve(state->outgoing_packet, padlen, &cp)) != 0)

Actions: View | Diff

Attachments on bug 2566: 2813 | 2853