summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2011-12-19 10:52:50 +1100
committerDamien Miller <djm@mindrot.org>2011-12-19 10:52:50 +1100
commit8ed4de8f1dcebddd7edc0dd3c10f1cb947d831eb (patch)
tree3c9442e4dfcae3662f42cb53cccc7e45f98c0897
parent913ddff40d090751d50be2339cd859505b24f65b (diff)
- djm@cvs.openbsd.org 2011/12/07 05:44:38
[auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c] fix some harmless and/or unreachable int overflows; reported Xi Wang, ok markus@
-rw-r--r--ChangeLog4
-rw-r--r--auth2.c4
-rw-r--r--dh.c4
-rw-r--r--packet.c4
-rw-r--r--roaming.h7
-rw-r--r--roaming_client.c4
-rw-r--r--roaming_common.c4
7 files changed, 20 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 3f0471d7..a0655485 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,10 @@
> fix bz#1948: ssh -f doesn't fork for multiplexed connection.
> ok dtucker@
it interacts badly with ControlPersist
+ - djm@cvs.openbsd.org 2011/12/07 05:44:38
+ [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
+ fix some harmless and/or unreachable int overflows;
+ reported Xi Wang, ok markus@
20111125
- OpenBSD CVS Sync
diff --git a/auth2.c b/auth2.c
index c06c95f0..b66bef64 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -113,7 +113,7 @@ auth2_read_banner(void)
close(fd);
return (NULL);
}
- if (st.st_size > 1*1024*1024) {
+ if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
close(fd);
return (NULL);
}
diff --git a/dh.c b/dh.c
index b9029d86..d943ca1e 100644
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
+/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@@ -236,6 +236,8 @@ dh_gen_key(DH *dh, int need)
{
int i, bits_set, tries = 0;
+ if (need < 0)
+ fatal("dh_gen_key: need < 0");
if (dh->p == NULL)
fatal("dh_gen_key: dh->p == NULL");
if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
diff --git a/packet.c b/packet.c
index ba934173..5e82fe75 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.174 2011/12/07 05:44:38 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -242,7 +242,7 @@ packet_set_connection(int fd_in, int fd_out)
void
packet_set_timeout(int timeout, int count)
{
- if (timeout == 0 || count == 0) {
+ if (timeout <= 0 || count <= 0) {
active_state->packet_timeout_ms = -1;
return;
}
diff --git a/roaming.h b/roaming.h
index 6bb94cc3..da069f87 100644
--- a/roaming.h
+++ b/roaming.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming.h,v 1.5 2009/10/24 11:11:58 andreas Exp $ */
+/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@@ -18,8 +18,9 @@
#ifndef ROAMING_H
#define ROAMING_H
-#define DEFAULT_ROAMBUF 65536
-#define ROAMING_REQUEST "roaming@appgate.com"
+#define DEFAULT_ROAMBUF 65536
+#define MAX_ROAMBUF (2*1024*1024) /* XXX arbitrary */
+#define ROAMING_REQUEST "roaming@appgate.com"
extern int roaming_enabled;
extern int resume_in_progress;
diff --git a/roaming_client.c b/roaming_client.c
index cea8e736..48009d78 100644
--- a/roaming_client.c
+++ b/roaming_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming_client.c,v 1.3 2010/01/18 01:50:27 dtucker Exp $ */
+/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@@ -72,7 +72,7 @@ roaming_reply(int type, u_int32_t seq, void *ctxt)
cookie = packet_get_int64();
key1 = oldkey1 = packet_get_int64();
key2 = oldkey2 = packet_get_int64();
- set_out_buffer_size(packet_get_int() + get_snd_buf_size());
+ set_out_buffer_size(packet_get_int() + get_snd_buf_size());
roaming_enabled = 1;
}
diff --git a/roaming_common.c b/roaming_common.c
index 9adbe56f..8d0b6054 100644
--- a/roaming_common.c
+++ b/roaming_common.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming_common.c,v 1.8 2010/01/12 00:59:29 djm Exp $ */
+/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */
/*
* Copyright (c) 2004-2009 AppGate Network Security AB
*
@@ -75,6 +75,8 @@ get_recv_buf_size()
void
set_out_buffer_size(size_t size)
{
+ if (size == 0 || size > MAX_ROAMBUF)
+ fatal("%s: bad buffer size %lu", __func__, (u_long)size);
/*
* The buffer size can only be set once and the buffer will live
* as long as the session lives.