Date: Tue, 4 Oct 2022 21:17:23 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 5e5ebbee81bf - main - ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size Message-ID: <202210042117.294LHNlj012355@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=5e5ebbee81bfd1c034caffa00d58d4e06e1b26ee commit 5e5ebbee81bfd1c034caffa00d58d4e06e1b26ee Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-10-04 20:28:13 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-10-04 20:30:00 +0000 ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db. MFC after: 3 days --- crypto/openssh/ssh-keyscan.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index d29a03b4e68a..d7283136c7d2 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. * @@ -490,6 +490,15 @@ congreet(int s) return; } + /* + * Read the server banner as per RFC4253 section 4.2. The "SSH-" + * protocol identification string may be preceeded by an arbitarily + * large banner which we must read and ignore. Loop while reading + * newline-terminated lines until we have one starting with "SSH-". + * The ID string cannot be longer than 255 characters although the + * preceeding banner lines may (in which case they'll be discarded + * in multiple iterations of the outer loop). + */ for (;;) { memset(buf, '\0', sizeof(buf)); bufsiz = sizeof(buf); @@ -517,6 +526,11 @@ congreet(int s) conrecycle(s); return; } + if (cp >= buf + sizeof(buf)) { + error("%s: greeting exceeds allowable length", c->c_name); + confree(s); + return; + } if (*cp != '\n' && *cp != '\r') { error("%s: bad greeting", c->c_name); confree(s);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210042117.294LHNlj012355>