1913 – wrong type for version in sftp-server.c

Bug 1913 - wrong type for version in sftp-server.c

Summary: wrong type for version in sftp-server.c

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sftp-server (show other bugs)
Version:	5.8p2
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_5_9
	Show dependency tree / graph

Reported:	2011-06-09 18:02 AEST by Mat
Modified:	2011-09-06 15:33 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mat 2011-06-09 18:02:42 AEST

The type of version is defined as (line 71, file: sftp-server.c):
int version;

but it should be defined as
u_int32_t version;

Why is this important? 
A client is submitting a value >= 2^31 in the client version (which is okay according to the RFC). The code however interprets such a value as a signed int and versions checks as the following will fail as a result:
line 417
	if (version >= 3) {
		buffer_put_cstring(&msg, status_to_message(status));
		buffer_put_cstring(&msg, "");
	}

Comment 1 Damien Miller 2011-06-18 09:45:52 AEST

Fixed - thanks. This will be in OpenSSH-5.9

Comment 2 Damien Miller 2011-09-06 15:33:07 AEST

close resolved bugs now that openssh-5.9 has been released