Date: Fri, 21 Feb 2025 02:56:25 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 1920babc310a - releng/14.2 - ssh: Fix cases where error codes were not correctly set Message-ID: <202502210256.51L2uPGw079645@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/14.2 has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=1920babc310ab8ebaa76188decf1aa5ed88e9d84 commit 1920babc310ab8ebaa76188decf1aa5ed88e9d84 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2025-02-19 03:03:26 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2025-02-21 02:35:04 +0000 ssh: Fix cases where error codes were not correctly set Obtained from: OpenSSH 38df39ecf278 Security: CVE-2025-26465 Security: FreeBSD-SA-25:05.openssh Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd) (cherry picked from commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404) --- crypto/openssh/krl.c | 4 +++- crypto/openssh/ssh-agent.c | 5 +++++ crypto/openssh/ssh-sk-client.c | 4 +++- crypto/openssh/sshconnect2.c | 5 ++++- crypto/openssh/sshsig.c | 1 + 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/crypto/openssh/krl.c b/crypto/openssh/krl.c index e2efdf0667a7..0d0f69534182 100644 --- a/crypto/openssh/krl.c +++ b/crypto/openssh/krl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2012 Damien Miller <djm@mindrot.org> * @@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) break; case KRL_SECTION_CERT_SERIAL_BITMAP: if (rs->lo - bitmap_start > INT_MAX) { + r = SSH_ERR_INVALID_FORMAT; error_f("insane bitmap gap"); goto out; } @@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp) } if ((krl = ssh_krl_init()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; error_f("alloc failed"); goto out; } diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 67fa376a36ff..5ea283ddaf29 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1226,6 +1226,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, "restrict-destination-v00@openssh.com") == 0) { if (*dcsp != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_froms(m, &b)) != 0) { @@ -1235,6 +1236,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1, @@ -1252,6 +1254,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, } if (*certs != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_u8(m, &v)) != 0 || @@ -1263,6 +1266,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ncerts >= AGENT_MAX_EXT_CERTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1, @@ -1759,6 +1763,7 @@ process_ext_session_bind(SocketEntry *e) /* record new key/sid */ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { error_f("too many session IDs recorded"); + r = -1; goto out; } e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, diff --git a/crypto/openssh/ssh-sk-client.c b/crypto/openssh/ssh-sk-client.c index 321fe53a2d91..06fad22134fb 100644 --- a/crypto/openssh/ssh-sk-client.c +++ b/crypto/openssh/ssh-sk-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */ +/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device, } if ((srk = calloc(1, sizeof(*srk))) == NULL) { error_f("calloc failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } srk->key = key; @@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device, if ((tmp = recallocarray(srks, nsrks, nsrks + 1, sizeof(*srks))) == NULL) { error_f("recallocarray keys failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } debug_f("srks[%zu]: %s %s uidlen %zu", nsrks, diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 745c2a0517f3..51079f067d8a 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) options.required_rsa_size)) != 0) fatal_r(r, "Bad server host key"); if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, - xxx_conn_info) == -1) + xxx_conn_info) != 0) fatal("Host key verification failed."); return 0; } @@ -700,6 +700,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { debug_f("server sent unknown pkalg %s", pkalg); + r = SSH_ERR_INVALID_FORMAT; goto done; } if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { @@ -710,6 +711,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) error("input_userauth_pk_ok: type mismatch " "for decoded key (received %d, expected %d)", key->type, pktype); + r = SSH_ERR_INVALID_FORMAT; goto done; } @@ -729,6 +731,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) SSH_FP_DEFAULT); error_f("server replied with unknown key: %s %s", sshkey_type(key), fp == NULL ? "<ERROR>" : fp); + r = SSH_ERR_INVALID_FORMAT; goto done; } ident = format_identity(id); diff --git a/crypto/openssh/sshsig.c b/crypto/openssh/sshsig.c index 470b286a3a98..057e1df02381 100644 --- a/crypto/openssh/sshsig.c +++ b/crypto/openssh/sshsig.c @@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum, } if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { error_f("buffer error"); + r = SSH_ERR_ALLOC_FAIL; goto out; } /* success */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502210256.51L2uPGw079645>