Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 7 Oct 2022 01:39:42 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 1057339079a0 - stable/13 - ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size
Message-ID:  <202210070139.2971dgcX016226@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=1057339079a0cb37648fa2afe44e9eceec737439

commit 1057339079a0cb37648fa2afe44e9eceec737439
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-10-04 20:28:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-10-07 01:39:00 +0000

    ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size
    
    From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db.
    
    MFC after:      3 days
    
    (cherry picked from commit 5e5ebbee81bfd1c034caffa00d58d4e06e1b26ee)
---
 crypto/openssh/ssh-keyscan.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
index d29a03b4e68a..d7283136c7d2 100644
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -490,6 +490,15 @@ congreet(int s)
 		return;
 	}
 
+	/*
+	 * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
+	 * protocol identification string may be preceeded by an arbitarily
+	 * large banner which we must read and ignore.  Loop while reading
+	 * newline-terminated lines until we have one starting with "SSH-".
+	 * The ID string cannot be longer than 255 characters although the
+	 * preceeding banner lines may (in which case they'll be discarded
+	 * in multiple iterations of the outer loop).
+	 */
 	for (;;) {
 		memset(buf, '\0', sizeof(buf));
 		bufsiz = sizeof(buf);
@@ -517,6 +526,11 @@ congreet(int s)
 		conrecycle(s);
 		return;
 	}
+	if (cp >= buf + sizeof(buf)) {
+		error("%s: greeting exceeds allowable length", c->c_name);
+		confree(s);
+		return;
+	}
 	if (*cp != '\n' && *cp != '\r') {
 		error("%s: bad greeting", c->c_name);
 		confree(s);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210070139.2971dgcX016226>