From nobody Thu Feb 20 18:00:46 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YzLf81fzKz5pDK1; Thu, 20 Feb 2025 18:00:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YzLf655nNz3FXF; Thu, 20 Feb 2025 18:00:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740074446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HNioPITYNemg7E6GGpOkH3TCUaA/eToCn155T0d/mKo=; b=F1jMOX4OsUKRLvpyX7VsqMkju8VeE8baNgp7zOzZ9un8dAY9JfNReUCar7V/cEGOIcm++3 xj+rvHpGwX7+QISuYayUNOi4YOGbOoYOkY4uUdmgOVW0DSqNUvUQr+WjpFVLWgWroZB8mh flsDgStu2DY4E22kS6EJEHyfsvIZCY8SYmhMpiQBcGC7It3kcAXATRElcVD0URTHTuHpIi dv6o+dC4acjg7tMo0lEuhqQr0o9I7tkvO4EtVke54OWDgmOTiBxiND5QvKt0pcrnJQvo59 i5LkTdyCa8t8V8wUL38gEcAyKz4KzMw+mMmOQEW3CiQrU/JkhTX6y9i0y9NIYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1740074446; a=rsa-sha256; cv=none; b=vaHoUNzEu78cM4gXsj2lGlA0X8iFAEG7izazLunEbm0r0o86nsnaK9+atv9ds23MFaRM1A 0eSz1Rn3eUUvRkpzsUcDerOyq4wGzC4m5qvbcx7plrnE1QkJJX0wke+u/lgi6DZRfqy9AD W7327uXRJzN/ariAaMo/tZSdxL6xolCmeKlDclXl0TtA3WWuKZKON9vlidsA/9i8ThvZhM Ot+t2ecuIAOsKjZaskVqCz8Pv8VsMG3GEFBIjMIErTFvm9fFVz39sccdI13bcCyEem9yeo 1DyxL6eSHBUmJC5lZiZyyiGrkFI2WvpgpMki9UMJeTngWNXCPr+3dyGvy84tSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1740074446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HNioPITYNemg7E6GGpOkH3TCUaA/eToCn155T0d/mKo=; b=Q8IkqASNy4L0cK2cGji6yhKVAFPqg5ADnoC0EbylWlx/5Dr7eimAY8qOVKkzy7fDACI8MZ 8PtQe5fMrWUTAyv4hsr2283Whg2TuMWD11c8toARhs+tvgtnskn8xUthA7fFxS4KAkKJ8/ um5SSSlRw196d6ybOqfMMNG8PlK7ttrPv2ltnoADw72zejfvq3WRiyTa7vchHyomWIKzT1 JVxNSN93Vn3QRGHuE7RSkQsZB/91Vfe+ejvtXPdjhp4u9WnKcIuTQlqmO09iLyiAF/bazm T+G8vV4O/tfgDupy4KQELFwnnfQB2F5SIg6J5CbUWn7qEx51Ci9knwXsVc28Sg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YzLf64bRRz129w; Thu, 20 Feb 2025 18:00:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51KI0k4v079273; Thu, 20 Feb 2025 18:00:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51KI0ksm079270; Thu, 20 Feb 2025 18:00:46 GMT (envelope-from git) Date: Thu, 20 Feb 2025 18:00:46 GMT Message-Id: <202502201800.51KI0ksm079270@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 88fcdcb08a25 - releng/13.5 - ssh: Fix cases where error codes were not correctly set List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: 88fcdcb08a2541c2d7db55c7cb3cecaca325160c Auto-Submitted: auto-generated The branch releng/13.5 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=88fcdcb08a2541c2d7db55c7cb3cecaca325160c commit 88fcdcb08a2541c2d7db55c7cb3cecaca325160c Author: Ed Maste AuthorDate: 2025-02-19 03:03:26 +0000 Commit: Ed Maste CommitDate: 2025-02-20 18:00:19 +0000 ssh: Fix cases where error codes were not correctly set Obtained from: OpenSSH 38df39ecf278 Security: CVE-2025-26465 Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd) (cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404) (cherry picked from commit 8c67967cb14b0ab7e26ffa9ab6cef470a154e030) Approved by: re (implicit) --- crypto/openssh/krl.c | 4 +++- crypto/openssh/ssh-agent.c | 5 +++++ crypto/openssh/ssh-sk-client.c | 4 +++- crypto/openssh/sshconnect2.c | 5 ++++- crypto/openssh/sshsig.c | 1 + 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/crypto/openssh/krl.c b/crypto/openssh/krl.c index e2efdf0667a7..0d0f69534182 100644 --- a/crypto/openssh/krl.c +++ b/crypto/openssh/krl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2012 Damien Miller * @@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) break; case KRL_SECTION_CERT_SERIAL_BITMAP: if (rs->lo - bitmap_start > INT_MAX) { + r = SSH_ERR_INVALID_FORMAT; error_f("insane bitmap gap"); goto out; } @@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp) } if ((krl = ssh_krl_init()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; error_f("alloc failed"); goto out; } diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 67fa376a36ff..5ea283ddaf29 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1226,6 +1226,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, "restrict-destination-v00@openssh.com") == 0) { if (*dcsp != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_froms(m, &b)) != 0) { @@ -1235,6 +1236,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1, @@ -1252,6 +1254,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, } if (*certs != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_u8(m, &v)) != 0 || @@ -1263,6 +1266,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ncerts >= AGENT_MAX_EXT_CERTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1, @@ -1759,6 +1763,7 @@ process_ext_session_bind(SocketEntry *e) /* record new key/sid */ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { error_f("too many session IDs recorded"); + r = -1; goto out; } e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, diff --git a/crypto/openssh/ssh-sk-client.c b/crypto/openssh/ssh-sk-client.c index 321fe53a2d91..06fad22134fb 100644 --- a/crypto/openssh/ssh-sk-client.c +++ b/crypto/openssh/ssh-sk-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */ +/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device, } if ((srk = calloc(1, sizeof(*srk))) == NULL) { error_f("calloc failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } srk->key = key; @@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device, if ((tmp = recallocarray(srks, nsrks, nsrks + 1, sizeof(*srks))) == NULL) { error_f("recallocarray keys failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } debug_f("srks[%zu]: %s %s uidlen %zu", nsrks, diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 745c2a0517f3..51079f067d8a 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) options.required_rsa_size)) != 0) fatal_r(r, "Bad server host key"); if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, - xxx_conn_info) == -1) + xxx_conn_info) != 0) fatal("Host key verification failed."); return 0; } @@ -700,6 +700,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { debug_f("server sent unknown pkalg %s", pkalg); + r = SSH_ERR_INVALID_FORMAT; goto done; } if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { @@ -710,6 +711,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) error("input_userauth_pk_ok: type mismatch " "for decoded key (received %d, expected %d)", key->type, pktype); + r = SSH_ERR_INVALID_FORMAT; goto done; } @@ -729,6 +731,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) SSH_FP_DEFAULT); error_f("server replied with unknown key: %s %s", sshkey_type(key), fp == NULL ? "" : fp); + r = SSH_ERR_INVALID_FORMAT; goto done; } ident = format_identity(id); diff --git a/crypto/openssh/sshsig.c b/crypto/openssh/sshsig.c index 470b286a3a98..057e1df02381 100644 --- a/crypto/openssh/sshsig.c +++ b/crypto/openssh/sshsig.c @@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum, } if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { error_f("buffer error"); + r = SSH_ERR_ALLOC_FAIL; goto out; } /* success */