1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 29 Aug 2019 15:14:19 -0700
Subject: [PATCH 1/5] packet.c: improve parsing of packets
file: packet.c
notes:
Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST
---
src/packet.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/packet.c b/src/packet.c
index 38ab6294..ac69768c 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
case SSH_MSG_DEBUG:
if(datalen >= 2) {
int always_display = data[1];
-
+
if(datalen >= 6) {
- message_len = _libssh2_ntohu32(data + 2);
-
- if(message_len <= (datalen - 10)) {
- /* 6 = packet_type(1) + display(1) + message_len(4) */
- message = (char *) data + 6;
- language_len = _libssh2_ntohu32(data + 6 +
- message_len);
-
- if(language_len <= (datalen - 10 - message_len))
- language = (char *) data + 10 + message_len;
- }
+ struct string_buf buf;
+ buf.data = (unsigned char *)data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+ buf.dataptr += 2; /* advance past type & always display */
+
+ _libssh2_get_string(&buf, &message, &message_len);
+ _libssh2_get_string(&buf, &language, &language_len);
}
if(session->ssh_msg_debug) {
- LIBSSH2_DEBUG(session, always_display, message,
- message_len, language, language_len);
+ LIBSSH2_DEBUG(session, always_display,
+ (const char *)message,
+ message_len, (const char *)language,
+ language_len);
}
}
+
/*
* _libssh2_debug will actually truncate this for us so
* that it's not an inordinate about of data
@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
uint32_t len = 0;
unsigned char want_reply = 0;
len = _libssh2_ntohu32(data + 1);
- if(datalen >= (6 + len)) {
+ if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
want_reply = data[5 + len];
_libssh2_debug(session,
LIBSSH2_TRACE_CONN,
From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 29 Aug 2019 15:15:33 -0700
Subject: [PATCH 2/5] stray whitespace
---
src/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/packet.c b/src/packet.c
index ac69768c..8908b2c5 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
case SSH_MSG_DEBUG:
if(datalen >= 2) {
int always_display = data[1];
-
+
if(datalen >= 6) {
struct string_buf buf;
buf.data = (unsigned char *)data;
From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 29 Aug 2019 15:24:22 -0700
Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT
SSH_MSG_DISCONNECT now also uses _libssh2_get API.
---
src/packet.c | 40 +++++++++++++++-------------------------
1 file changed, 15 insertions(+), 25 deletions(-)
diff --git a/src/packet.c b/src/packet.c
index 8908b2c5..97f0cdd4 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
size_t datalen, int macstate)
{
int rc = 0;
- char *message = NULL;
- char *language = NULL;
+ unsigned char *message = NULL;
+ unsigned char *language = NULL;
size_t message_len = 0;
size_t language_len = 0;
LIBSSH2_CHANNEL *channelp = NULL;
@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
case SSH_MSG_DISCONNECT:
if(datalen >= 5) {
- size_t reason = _libssh2_ntohu32(data + 1);
+ uint32_t reason = 0;
+ struct string_buf buf;
+ buf.data = (unsigned char *)data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+ buf.dataptr++; /* advance past type */
- if(datalen >= 9) {
- message_len = _libssh2_ntohu32(data + 5);
+ _libssh2_get_u32(&buf, &reason);
+ _libssh2_get_string(&buf, &message, &message_len);
+ _libssh2_get_string(&buf, &language, &language_len);
- if(message_len < datalen-13) {
- /* 9 = packet_type(1) + reason(4) + message_len(4) */
- message = (char *) data + 9;
-
- language_len =
- _libssh2_ntohu32(data + 9 + message_len);
- language = (char *) data + 9 + message_len + 4;
-
- if(language_len > (datalen-13-message_len)) {
- /* bad input, clear info */
- language = message = NULL;
- language_len = message_len = 0;
- }
- }
- else
- /* bad size, clear it */
- message_len = 0;
- }
if(session->ssh_msg_disconnect) {
- LIBSSH2_DISCONNECT(session, reason, message,
- message_len, language, language_len);
+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
+ message_len, (const char *)language,
+ language_len);
}
+
_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
"Disconnect(%d): %s(%s)", reason,
message, language);
From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 29 Aug 2019 15:26:32 -0700
Subject: [PATCH 4/5] fixed stray (
bad paste
---
src/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/packet.c b/src/packet.c
index 97f0cdd4..bd4c39e4 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
uint32_t len = 0;
unsigned char want_reply = 0;
len = _libssh2_ntohu32(data + 1);
- if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
+ if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
want_reply = data[5 + len];
_libssh2_debug(session,
LIBSSH2_TRACE_CONN,
From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 29 Aug 2019 15:29:00 -0700
Subject: [PATCH 5/5] added additional parentheses for clarity
---
src/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/packet.c b/src/packet.c
index bd4c39e4..2e01bfc5 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
uint32_t len = 0;
unsigned char want_reply = 0;
len = _libssh2_ntohu32(data + 1);
- if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
want_reply = data[5 + len];
_libssh2_debug(session,
LIBSSH2_TRACE_CONN,
|