From nobody Fri Oct 07 14:04:40 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MkVRs122Hz4dptn; Fri, 7 Oct 2022 14:04:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MkVRr4CHwz3s4Q; Fri, 7 Oct 2022 14:04:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665151480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6m4DQMcgqaWUNFu8WhFJXzyvPQj9KgWhujk/7SYkEXc=; b=AsX4VOKyVBt1yZT0r6xc92ZqWqiKHTWZZt+6yYuppwOMm1hA2QWH6EzZpmj6aaRwnrEEBx DiDnOSZ4vUU7RAjUdUyNuRtQajiAhWUdMeoRxpskDL7j0iFKOhJSTw2p9Q+Xp2rSVwZF7r gfYy0hpydPe98vCy8/pugbLzodgbBeBQwIgMDru37a8brSAe/TonSvQNSusLK86kkyjimf nlZEzFTKir5/UqNjjDOs0DMmSMXzum3J+fKAs9lWSH8bQT/KuCc413e5ATUMN2cdjxlSLR R+1jUq1jxCtecqO6xSnec63HyTV9sWfaH02aFt6WL1qnm+Q+o6v1bYI9m+sRpQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MkVRr31tlzctb; Fri, 7 Oct 2022 14:04:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 297E4efC047899; Fri, 7 Oct 2022 14:04:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 297E4eDe047898; Fri, 7 Oct 2022 14:04:40 GMT (envelope-from git) Date: Fri, 7 Oct 2022 14:04:40 GMT Message-Id: <202210071404.297E4eDe047898@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: d47eebe71b28 - stable/12 - ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: d47eebe71b28c46352892967da819bb243ee1f6a Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665151480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6m4DQMcgqaWUNFu8WhFJXzyvPQj9KgWhujk/7SYkEXc=; b=Q16yThkJfMJxLaW4WtX9WlJ6qTQY3imEr/H5uF4vc822MK3J18aAyVeNPDuRdPgsF/pOO+ j6mt6dZ1O1qhWOeuslq5Zm5Ndfr5kdY4e35RVECR+7uDO2xz5Wr1xj+OwPb1dSKCokISxK duIH/HRJrf5evz5XZf8T3EL7XzDpJHlKqpJW9QInMEnD4Mov9A3VUht0wWsIG4gtNXrwLM BzBJNEuaY2YFs+cQyMgKRffvgfISICXgjtnLGglREAfcYXCI3XKil/Bzyj5zq+suxMcOeD YN+RkaqAGRGSgw0FB9BqJhsH6qn49436r6pni+xWQATq+rBF6Uv7gkZ6qI1xYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665151480; a=rsa-sha256; cv=none; b=a/1jkhLklZlBQ0ESzKZSY6oAFt+S3/0/Ie1aT2Iw/6SgJ0CKvX6MKmxj2JGREOF2dsuwhH syY4HvDDsvT3FcjgSzkq2mO+gcwGhsnTKJe6MrajWksGwOWzfB1MIcCvp4QGgsiUvfN//Y YbtkvL7UMeFe7Mmum1LEyh3Wdd3OQGNPgeA9XwNGM/bpthOAH5krKIqlG73GolcVCxp09c OUVLBydtm2eKnmaK7AEOdlY1Sw2ZcULhFwInR7cgtS3dPfKtdny7usSn+Cqp2bL8Xcm+e2 qWwonRWbFenOPdSRs5a/YEZ2pt8aL8g0tt1oxuqhyzInd3mUiD81Jw5iWR+cNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=d47eebe71b28c46352892967da819bb243ee1f6a commit d47eebe71b28c46352892967da819bb243ee1f6a Author: Ed Maste AuthorDate: 2022-10-04 20:28:13 +0000 Commit: Ed Maste CommitDate: 2022-10-07 13:22:10 +0000 ssh-keyscan: Strictly enforce the maximum allowed SSH2 banner size From OpenSSH-portable commit ff89b1bed807, OpenBSD commit 6ae664f9f4db. MFC after: 3 days (cherry picked from commit 5e5ebbee81bfd1c034caffa00d58d4e06e1b26ee) (cherry picked from commit 1057339079a0cb37648fa2afe44e9eceec737439) --- crypto/openssh/ssh-keyscan.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c index d29a03b4e68a..d7283136c7d2 100644 --- a/crypto/openssh/ssh-keyscan.c +++ b/crypto/openssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.145 2022/01/21 00:53:40 deraadt Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.146 2022/08/19 04:02:46 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -490,6 +490,15 @@ congreet(int s) return; } + /* + * Read the server banner as per RFC4253 section 4.2. The "SSH-" + * protocol identification string may be preceeded by an arbitarily + * large banner which we must read and ignore. Loop while reading + * newline-terminated lines until we have one starting with "SSH-". + * The ID string cannot be longer than 255 characters although the + * preceeding banner lines may (in which case they'll be discarded + * in multiple iterations of the outer loop). + */ for (;;) { memset(buf, '\0', sizeof(buf)); bufsiz = sizeof(buf); @@ -517,6 +526,11 @@ congreet(int s) conrecycle(s); return; } + if (cp >= buf + sizeof(buf)) { + error("%s: greeting exceeds allowable length", c->c_name); + confree(s); + return; + } if (*cp != '\n' && *cp != '\r') { error("%s: bad greeting", c->c_name); confree(s);