From nobody Fri Oct 07 01:39:42 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mk9wG70cGz4f0Wc; Fri, 7 Oct 2022 01:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mk9wG5R8Xz47yc; Fri, 7 Oct 2022 01:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665106782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=D7RynKCK3yGyXGW6GaPfwBSwXJM84NK3QoO+9wmHRtM=; b=LN9lQmuKg+FDn0g6VnIDc78Hs3QRzLD7YH0tLa/cEUokw48K2JpPIyqSM70Snv055vYM/Z q6789wH8fbv/itGqs53tumn525NtpRVxlEaMtDN6BSDRH6kMwyhIpjK7Sq2ExvJs3qvfa1 82MV2DJUogHUJ9wpGZqA62nouTNvUBe/FZfyakM9HW1XQyJWPJFqrdREFvzAkedzrTM3ax N1I6qozNucAJn+Y5k2qHS6RPcghSqtb+d41pCseutXc8TrQQVXcXA6gnATvTSkC4qzp+GO BPeItMLdh8m9zaw8YJhUhxz/iLhAFODesbV9cGjFRSV5fIIUsAwO76CDjDfpBw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mk9wG3bKbzRVl; Fri, 7 Oct 2022 01:39:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2971dgRS016227; Fri, 7 Oct 2022 01:39:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2971dgcX016226; Fri, 7 Oct 2022 01:39:42 GMT (envelope-from git) Date: Fri, 7 Oct 2022 01:39:42 GMT Message-Id: <202210070139.2971dgcX016226@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 1057339079a0 - stable/13 - ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 1057339079a0cb37648fa2afe44e9eceec737439 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665106782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=D7RynKCK3yGyXGW6GaPfwBSwXJM84NK3QoO+9wmHRtM=; b=JDSLGBtszwNOKIH5d7SO2JkvlkTMfYjixk3HtJog+Q32M340c6qxOi5CYskzAxPGE5zcQo LCROEqfYucbMiZRCq58E/e5LgtePSL2uqB8gJIdm6OMBAiRW8au544OfS+6vWNkEgA/pgp FU6Yadk5Zgwt4w0ELvusTIxijXYUtqwELq8wZNFELyeAP95Qk2mqOE3daAnwEa6qXK5Lc+ xrFVXtS1kJBsOnLWUveWxrsaACsJAgSUh4jipg90ascA3IkUZAIwZnvzLTMQs6/rA1/Ndc UQEI9XoZmoZ1PF0yepe7vfViWDOIcTbhdbX8/SJict8iYq8mN3XLfNB5xGLZhw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665106782; a=rsa-sha256; cv=none; b=SzjD6JijanDll6jtxtyy06lcgxkyMk7ZStAria1S9h9tUb0o/4X7jR4lJsUUnDaK4FQyaO LbJ7vIsOQoaqcipzDnhlquqNrL+bgAXUcYkZdyfiEW81xzxJGe8u5OEgkJROGRGZE2oFNa VrfFOtvpgruEW4h/CzGl0eDykvhyZQ8M+cdlE6txEcTAvuuKUXdL25pEf7RlVtcNMoO4lQ AMOXk7NknoZnDiIMXzpiiCBrmrlmN2SRHVCfQV1xYpqkC8A2UZdHy27A3i1MLrVxrCkQzz YjHXxHfnsWMMfB6Ya7V6Q2MJyhMV3c+UoulwExhQlwR/qgOew5VlSSe0lFCFIA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=1057339079a0cb37648fa2afe44e9eceec737439 commit 1057339079a0cb37648fa2afe44e9eceec737439 Author: Ed Maste AuthorDate: 2022-10-04 20:28:13 +0000 Commit: Ed Maste CommitDate: 2022-10-07 01:39:00 +0000 ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db. MFC after: 3 days (cherry picked from commit 5e5ebbee81bfd1c034caffa00d58d4e06e1b26ee) --- crypto/openssh/ssh-keyscan.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index d29a03b4e68a..d7283136c7d2 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -490,6 +490,15 @@ congreet(int s) return; } + /* + * Read the server banner as per RFC4253 section 4.2. The "SSH-" + * protocol identification string may be preceeded by an arbitarily + * large banner which we must read and ignore. Loop while reading + * newline-terminated lines until we have one starting with "SSH-". + * The ID string cannot be longer than 255 characters although the + * preceeding banner lines may (in which case they'll be discarded + * in multiple iterations of the outer loop). + */ for (;;) { memset(buf, '\0', sizeof(buf)); bufsiz = sizeof(buf); @@ -517,6 +526,11 @@ congreet(int s) conrecycle(s); return; } + if (cp >= buf + sizeof(buf)) { + error("%s: greeting exceeds allowable length", c->c_name); + confree(s); + return; + } if (*cp != '\n' && *cp != '\r') { error("%s: bad greeting", c->c_name); confree(s);