| Summary: | Integer overflow in ConnectTimeout | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Davide Berardi <berardi.dav> | ||||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||
| Status: | CLOSED FIXED | ||||||||
| Severity: | minor | CC: | andres, berardi.dav, djm, dtucker | ||||||
| Priority: | P5 | ||||||||
| Version: | 8.4p1 | ||||||||
| Hardware: | Other | ||||||||
| OS: | Linux | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 3217 | ||||||||
| Attachments: |
|
||||||||
Created attachment 3466 [details]
convtime return long -> int
THere a bit more to it than that. convtime() returns -1 on error including negative values, but it returns a long. On a platform where sizeof(int) != sizeof(long), convtime can accept a large positive value that then wraps to negative. I think the correct thing to do is to change convtime to return int.
patch has been applied and will be in 8.5 release. thanks for the report. $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost command-line line 0: invalid time value. *** Bug 3256 has been marked as a duplicate of this bug. *** close bugs that were resolved in OpenSSH 8.5 release cycle |
Created attachment 3465 [details] Proposed Patch Setting a high value for ConnectionTimeout option will make it negative. This will result in an integer overflow undetected by the previous checks. PoC: (ArchLinux GNU/Linux) $ uname -a Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43 +0000 x86_64 GNU/Linux $ gcc --version gcc (GCC) 10.2.0 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ clang --version clang version 11.0.0 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/bin $ ./ssh -V OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020 $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost [1] 26360 abort (core dumped) ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost