From nobody Wed Feb 19 14:54:35 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YyfYm4Tw3z5pT0n; Wed, 19 Feb 2025 14:54:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YyfYm0mfJz4DlX; Wed, 19 Feb 2025 14:54:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739976876; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1NHnM776CJvjYMR+ACWXNX273NZ3mCUJycsa6V14cbw=; b=RZ1AboDEKV8iRQd0ABtak33WwPI7nSiZOMz3pnP/A9BvYtalFe7opszex7791B3/R/B/rj yKWbvwPZo3lw22deqWB92LFprBJ4q8i6E4Lt17c59BFebOkJ9AK7pBanMYenDaf3f/PSsy qhE45ZGUNaIAW4QAw4ctsW7A5T9WEuKvA5qRDZb4VzzpXPiegeZlerE9yraXDRKKxa2xC6 JXFBOpybf6TQq68sj2l5KO5UDGQTsFi6lFMUVF75SGY45Ac5AI7zRAtT56wbKB0AS7ZoA9 Za8baeLAIg7MbbvCBmuD5hafNtkwn5QBYUG00HGvwXfcH8IuwVle+/X5fngDCA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739976876; a=rsa-sha256; cv=none; b=loLqXfjm2s87WOJ8QvDb0KyOhXRjoAmxgvvJ2mgEoqnhxgeZNAy4biN1Ts1CVowrXiZTzL MFys/2iBl/r0OPboDIgskbJ0fOImRRouEik4z25wasNCRQ7BpkU6VFnBftD85Su/Cl4wKS qaq2/rqXnRbpfGMh0lFAQdx6OiumdO7t/mA9WNsRVThuZetxY0x6wV2aqbfyujKUAVpLK/ rQmWh085L/BuLFU0YEmDtey3okSz3ZG+j7cSkWmYbX7GcRxqZTMJ5+9D2KpIVRSbNfu/O0 gf+I7frCfZRIi/TmE1644CzD5j/5JVTteWMDeGcPKThvL4Gn24Eb3fHwBsU19Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739976876; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1NHnM776CJvjYMR+ACWXNX273NZ3mCUJycsa6V14cbw=; b=YAzmdvHZuVbCdLUn8xHaVP25kJ7bOgXTf5RkVKM672zWbRSE0kjFIdP7FPaGeECwCy+LxT 2gy2Hdnki2bhbmMUEPUDhz2IakYx30b81mNRX1KzkkhZfCuNnic6hkLZpHreIJ0mh4QRxa aXorXSVYjjKuUSdMfJWhVPdp8jJW6Tr7MOSjXDybT+2Jkk0a7URYUDCBBiW0f7YWz7REcX cKA+cOdB1/8l2qT8vR4F2JjEt4UnNBz1/IUh3xH3NhkGhsV2Xk73+q/1sTWKMQMJ5dZuHG jcGnFE7w8lF4Jzih8NykT02OxV1RS/jNZorN8MqqzMAub4gZC3wV6+8w+NrwaQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YyfYm0Gzxz1955; Wed, 19 Feb 2025 14:54:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51JEsZeV013164; Wed, 19 Feb 2025 14:54:35 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51JEsZwb013161; Wed, 19 Feb 2025 14:54:35 GMT (envelope-from git) Date: Wed, 19 Feb 2025 14:54:35 GMT Message-Id: <202502191454.51JEsZwb013161@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 4ad8c195cf54 - stable/14 - ssh: Fix cases where error codes were not correctly set List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 4ad8c195cf54411e3b3fa0bec227eb83ca078404 Auto-Submitted: auto-generated The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=4ad8c195cf54411e3b3fa0bec227eb83ca078404 commit 4ad8c195cf54411e3b3fa0bec227eb83ca078404 Author: Ed Maste AuthorDate: 2025-02-19 03:03:26 +0000 Commit: Ed Maste CommitDate: 2025-02-19 14:42:52 +0000 ssh: Fix cases where error codes were not correctly set Obtained from: OpenSSH 38df39ecf278 Security: CVE-2025-26465 Approved by: so Sponsored by: The FreeBSD Foundation (cherry picked from commit 170059d6d33cf4e890067097f3c0beb3061cabbd) --- crypto/openssh/krl.c | 4 +++- crypto/openssh/ssh-agent.c | 5 +++++ crypto/openssh/ssh-sk-client.c | 4 +++- crypto/openssh/sshconnect2.c | 5 ++++- crypto/openssh/sshsig.c | 1 + 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/crypto/openssh/krl.c b/crypto/openssh/krl.c index e2efdf0667a7..0d0f69534182 100644 --- a/crypto/openssh/krl.c +++ b/crypto/openssh/krl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2012 Damien Miller * @@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) break; case KRL_SECTION_CERT_SERIAL_BITMAP: if (rs->lo - bitmap_start > INT_MAX) { + r = SSH_ERR_INVALID_FORMAT; error_f("insane bitmap gap"); goto out; } @@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp) } if ((krl = ssh_krl_init()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; error_f("alloc failed"); goto out; } diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index 67fa376a36ff..5ea283ddaf29 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -1226,6 +1226,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, "restrict-destination-v00@openssh.com") == 0) { if (*dcsp != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_froms(m, &b)) != 0) { @@ -1235,6 +1236,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1, @@ -1252,6 +1254,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, } if (*certs != NULL) { error_f("%s already set", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } if ((r = sshbuf_get_u8(m, &v)) != 0 || @@ -1263,6 +1266,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp, while (sshbuf_len(b) != 0) { if (*ncerts >= AGENT_MAX_EXT_CERTS) { error_f("too many %s constraints", ext_name); + r = SSH_ERR_INVALID_FORMAT; goto out; } *certs = xrecallocarray(*certs, *ncerts, *ncerts + 1, @@ -1759,6 +1763,7 @@ process_ext_session_bind(SocketEntry *e) /* record new key/sid */ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { error_f("too many session IDs recorded"); + r = -1; goto out; } e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, diff --git a/crypto/openssh/ssh-sk-client.c b/crypto/openssh/ssh-sk-client.c index 321fe53a2d91..06fad22134fb 100644 --- a/crypto/openssh/ssh-sk-client.c +++ b/crypto/openssh/ssh-sk-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */ +/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device, } if ((srk = calloc(1, sizeof(*srk))) == NULL) { error_f("calloc failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } srk->key = key; @@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device, if ((tmp = recallocarray(srks, nsrks, nsrks + 1, sizeof(*srks))) == NULL) { error_f("recallocarray keys failed"); + r = SSH_ERR_ALLOC_FAIL; goto out; } debug_f("srks[%zu]: %s %s uidlen %zu", nsrks, diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c index 745c2a0517f3..51079f067d8a 100644 --- a/crypto/openssh/sshconnect2.c +++ b/crypto/openssh/sshconnect2.c @@ -101,7 +101,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) options.required_rsa_size)) != 0) fatal_r(r, "Bad server host key"); if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, - xxx_conn_info) == -1) + xxx_conn_info) != 0) fatal("Host key verification failed."); return 0; } @@ -700,6 +700,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { debug_f("server sent unknown pkalg %s", pkalg); + r = SSH_ERR_INVALID_FORMAT; goto done; } if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { @@ -710,6 +711,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) error("input_userauth_pk_ok: type mismatch " "for decoded key (received %d, expected %d)", key->type, pktype); + r = SSH_ERR_INVALID_FORMAT; goto done; } @@ -729,6 +731,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) SSH_FP_DEFAULT); error_f("server replied with unknown key: %s %s", sshkey_type(key), fp == NULL ? "" : fp); + r = SSH_ERR_INVALID_FORMAT; goto done; } ident = format_identity(id); diff --git a/crypto/openssh/sshsig.c b/crypto/openssh/sshsig.c index 470b286a3a98..057e1df02381 100644 --- a/crypto/openssh/sshsig.c +++ b/crypto/openssh/sshsig.c @@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum, } if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { error_f("buffer error"); + r = SSH_ERR_ALLOC_FAIL; goto out; } /* success */