tjh.dev
1From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001
2From: Will Cosgrove <will@panic.com>
3Date: Thu, 29 Aug 2019 15:14:19 -0700
4Subject: [PATCH 1/5] packet.c: improve parsing of packets
5
6file: packet.c
7
8notes:
9Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST
10---
11 src/packet.c | 30 +++++++++++++++---------------
12 1 file changed, 15 insertions(+), 15 deletions(-)
13
14diff --git a/src/packet.c b/src/packet.c
15index 38ab62944..ac69768cd 100644
16--- a/src/packet.c
17+++ b/src/packet.c
18@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
19 case SSH_MSG_DEBUG:
20 if(datalen >= 2) {
21 int always_display = data[1];
22-
23+
24 if(datalen >= 6) {
25- message_len = _libssh2_ntohu32(data + 2);
26-
27- if(message_len <= (datalen - 10)) {
28- /* 6 = packet_type(1) + display(1) + message_len(4) */
29- message = (char *) data + 6;
30- language_len = _libssh2_ntohu32(data + 6 +
31- message_len);
32-
33- if(language_len <= (datalen - 10 - message_len))
34- language = (char *) data + 10 + message_len;
35- }
36+ struct string_buf buf;
37+ buf.data = (unsigned char *)data;
38+ buf.dataptr = buf.data;
39+ buf.len = datalen;
40+ buf.dataptr += 2; /* advance past type & always display */
41+
42+ _libssh2_get_string(&buf, &message, &message_len);
43+ _libssh2_get_string(&buf, &language, &language_len);
44 }
45
46 if(session->ssh_msg_debug) {
47- LIBSSH2_DEBUG(session, always_display, message,
48- message_len, language, language_len);
49+ LIBSSH2_DEBUG(session, always_display,
50+ (const char *)message,
51+ message_len, (const char *)language,
52+ language_len);
53 }
54 }
55+
56 /*
57 * _libssh2_debug will actually truncate this for us so
58 * that it's not an inordinate about of data
59@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
60 uint32_t len = 0;
61 unsigned char want_reply = 0;
62 len = _libssh2_ntohu32(data + 1);
63- if(datalen >= (6 + len)) {
64+ if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
65 want_reply = data[5 + len];
66 _libssh2_debug(session,
67 LIBSSH2_TRACE_CONN,
68
69From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001
70From: Will Cosgrove <will@panic.com>
71Date: Thu, 29 Aug 2019 15:15:33 -0700
72Subject: [PATCH 2/5] stray whitespace
73
74---
75 src/packet.c | 2 +-
76 1 file changed, 1 insertion(+), 1 deletion(-)
77
78diff --git a/src/packet.c b/src/packet.c
79index ac69768cd..8908b2c5a 100644
80--- a/src/packet.c
81+++ b/src/packet.c
82@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
83 case SSH_MSG_DEBUG:
84 if(datalen >= 2) {
85 int always_display = data[1];
86-
87+
88 if(datalen >= 6) {
89 struct string_buf buf;
90 buf.data = (unsigned char *)data;
91
92From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
93From: Will Cosgrove <will@panic.com>
94Date: Thu, 29 Aug 2019 15:24:22 -0700
95Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT
96
97SSH_MSG_DISCONNECT now also uses _libssh2_get API.
98---
99 src/packet.c | 40 +++++++++++++++-------------------------
100 1 file changed, 15 insertions(+), 25 deletions(-)
101
102diff --git a/src/packet.c b/src/packet.c
103index 8908b2c5a..97f0cdd4b 100644
104--- a/src/packet.c
105+++ b/src/packet.c
106@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
107 size_t datalen, int macstate)
108 {
109 int rc = 0;
110- char *message = NULL;
111- char *language = NULL;
112+ unsigned char *message = NULL;
113+ unsigned char *language = NULL;
114 size_t message_len = 0;
115 size_t language_len = 0;
116 LIBSSH2_CHANNEL *channelp = NULL;
117@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
118
119 case SSH_MSG_DISCONNECT:
120 if(datalen >= 5) {
121- size_t reason = _libssh2_ntohu32(data + 1);
122+ uint32_t reason = 0;
123+ struct string_buf buf;
124+ buf.data = (unsigned char *)data;
125+ buf.dataptr = buf.data;
126+ buf.len = datalen;
127+ buf.dataptr++; /* advance past type */
128
129- if(datalen >= 9) {
130- message_len = _libssh2_ntohu32(data + 5);
131+ _libssh2_get_u32(&buf, &reason);
132+ _libssh2_get_string(&buf, &message, &message_len);
133+ _libssh2_get_string(&buf, &language, &language_len);
134
135- if(message_len < datalen-13) {
136- /* 9 = packet_type(1) + reason(4) + message_len(4) */
137- message = (char *) data + 9;
138-
139- language_len =
140- _libssh2_ntohu32(data + 9 + message_len);
141- language = (char *) data + 9 + message_len + 4;
142-
143- if(language_len > (datalen-13-message_len)) {
144- /* bad input, clear info */
145- language = message = NULL;
146- language_len = message_len = 0;
147- }
148- }
149- else
150- /* bad size, clear it */
151- message_len = 0;
152- }
153 if(session->ssh_msg_disconnect) {
154- LIBSSH2_DISCONNECT(session, reason, message,
155- message_len, language, language_len);
156+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
157+ message_len, (const char *)language,
158+ language_len);
159 }
160+
161 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
162 "Disconnect(%d): %s(%s)", reason,
163 message, language);
164
165From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001
166From: Will Cosgrove <will@panic.com>
167Date: Thu, 29 Aug 2019 15:26:32 -0700
168Subject: [PATCH 4/5] fixed stray (
169
170bad paste
171---
172 src/packet.c | 2 +-
173 1 file changed, 1 insertion(+), 1 deletion(-)
174
175diff --git a/src/packet.c b/src/packet.c
176index 97f0cdd4b..bd4c39e46 100644
177--- a/src/packet.c
178+++ b/src/packet.c
179@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
180 uint32_t len = 0;
181 unsigned char want_reply = 0;
182 len = _libssh2_ntohu32(data + 1);
183- if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
184+ if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
185 want_reply = data[5 + len];
186 _libssh2_debug(session,
187 LIBSSH2_TRACE_CONN,
188
189From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001
190From: Will Cosgrove <will@panic.com>
191Date: Thu, 29 Aug 2019 15:29:00 -0700
192Subject: [PATCH 5/5] added additional parentheses for clarity
193
194---
195 src/packet.c | 2 +-
196 1 file changed, 1 insertion(+), 1 deletion(-)
197
198diff --git a/src/packet.c b/src/packet.c
199index bd4c39e46..2e01bfc5d 100644
200--- a/src/packet.c
201+++ b/src/packet.c
202@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
203 uint32_t len = 0;
204 unsigned char want_reply = 0;
205 len = _libssh2_ntohu32(data + 1);
206- if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
207+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
208 want_reply = data[5 + len];
209 _libssh2_debug(session,
210 LIBSSH2_TRACE_CONN,