From 8ed4de8f1dcebddd7edc0dd3c10f1cb947d831eb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 Dec 2011 10:52:50 +1100 Subject: [PATCH] - djm@cvs.openbsd.org 2011/12/07 05:44:38 [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@ --- ChangeLog | 4 ++++ auth2.c | 4 ++-- dh.c | 4 +++- packet.c | 4 ++-- roaming.h | 7 ++++--- roaming_client.c | 4 ++-- roaming_common.c | 4 +++- 7 files changed, 20 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f0471d70..a06554857 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ > fix bz#1948: ssh -f doesn't fork for multiplexed connection. > ok dtucker@ it interacts badly with ControlPersist + - djm@cvs.openbsd.org 2011/12/07 05:44:38 + [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] + fix some harmless and/or unreachable int overflows; + reported Xi Wang, ok markus@ 20111125 - OpenBSD CVS Sync diff --git a/auth2.c b/auth2.c index c06c95f06..b66bef64c 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */ +/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -113,7 +113,7 @@ auth2_read_banner(void) close(fd); return (NULL); } - if (st.st_size > 1*1024*1024) { + if (st.st_size <= 0 || st.st_size > 1*1024*1024) { close(fd); return (NULL); } diff --git a/dh.c b/dh.c index b9029d867..d943ca1e1 100644 --- a/dh.c +++ b/dh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */ +/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * @@ -236,6 +236,8 @@ dh_gen_key(DH *dh, int need) { int i, bits_set, tries = 0; + if (need < 0) + fatal("dh_gen_key: need < 0"); if (dh->p == NULL) fatal("dh_gen_key: dh->p == NULL"); if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) diff --git a/packet.c b/packet.c index ba9341731..5e82fe753 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */ +/* $OpenBSD: packet.c,v 1.174 2011/12/07 05:44:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -242,7 +242,7 @@ packet_set_connection(int fd_in, int fd_out) void packet_set_timeout(int timeout, int count) { - if (timeout == 0 || count == 0) { + if (timeout <= 0 || count <= 0) { active_state->packet_timeout_ms = -1; return; } diff --git a/roaming.h b/roaming.h index 6bb94cc39..da069f878 100644 --- a/roaming.h +++ b/roaming.h @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming.h,v 1.5 2009/10/24 11:11:58 andreas Exp $ */ +/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -18,8 +18,9 @@ #ifndef ROAMING_H #define ROAMING_H -#define DEFAULT_ROAMBUF 65536 -#define ROAMING_REQUEST "roaming@appgate.com" +#define DEFAULT_ROAMBUF 65536 +#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */ +#define ROAMING_REQUEST "roaming@appgate.com" extern int roaming_enabled; extern int resume_in_progress; diff --git a/roaming_client.c b/roaming_client.c index cea8e7360..48009d781 100644 --- a/roaming_client.c +++ b/roaming_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_client.c,v 1.3 2010/01/18 01:50:27 dtucker Exp $ */ +/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -72,7 +72,7 @@ roaming_reply(int type, u_int32_t seq, void *ctxt) cookie = packet_get_int64(); key1 = oldkey1 = packet_get_int64(); key2 = oldkey2 = packet_get_int64(); - set_out_buffer_size(packet_get_int() + get_snd_buf_size()); + set_out_buffer_size(packet_get_int() + get_snd_buf_size()); roaming_enabled = 1; } diff --git a/roaming_common.c b/roaming_common.c index 9adbe56fc..8d0b6054a 100644 --- a/roaming_common.c +++ b/roaming_common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roaming_common.c,v 1.8 2010/01/12 00:59:29 djm Exp $ */ +/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */ /* * Copyright (c) 2004-2009 AppGate Network Security AB * @@ -75,6 +75,8 @@ get_recv_buf_size() void set_out_buffer_size(size_t size) { + if (size == 0 || size > MAX_ROAMBUF) + fatal("%s: bad buffer size %lu", __func__, (u_long)size); /* * The buffer size can only be set once and the buffer will live * as long as the session lives.