Created attachment 3465 [details] Proposed Patch Setting a high value for ConnectionTimeout option will make it negative. This will result in an integer overflow undetected by the previous checks. PoC: (ArchLinux GNU/Linux) $ uname -a Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43 +0000 x86_64 GNU/Linux $ gcc --version gcc (GCC) 10.2.0 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ clang --version clang version 11.0.0 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/bin $ ./ssh -V OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020 $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost [1] 26360 abort (core dumped) ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost
Created attachment 3466 [details] convtime return long -> int THere a bit more to it than that. convtime() returns -1 on error including negative values, but it returns a long. On a platform where sizeof(int) != sizeof(long), convtime can accept a large positive value that then wraps to negative. I think the correct thing to do is to change convtime to return int.
patch has been applied and will be in 8.5 release. thanks for the report. $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost command-line line 0: invalid time value.
*** Bug 3256 has been marked as a duplicate of this bug. ***
close bugs that were resolved in OpenSSH 8.5 release cycle