| Summary: | wrong type for version in sftp-server.c | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Mat <mb> |
| Component: | sftp-server | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | CC: | djm |
| Priority: | P2 | ||
| Version: | 5.8p2 | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | |||
| Bug Blocks: | 1845 | ||
Fixed - thanks. This will be in OpenSSH-5.9 close resolved bugs now that openssh-5.9 has been released |
The type of version is defined as (line 71, file: sftp-server.c): int version; but it should be defined as u_int32_t version; Why is this important? A client is submitting a value >= 2^31 in the client version (which is okay according to the RFC). The code however interprets such a value as a signed int and versions checks as the following will fail as a result: line 417 if (version >= 3) { buffer_put_cstring(&msg, status_to_message(status)); buffer_put_cstring(&msg, ""); }