[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Patch: Invalid read while parsing known_hosts
[Thread Prev] | [Thread Next]
- Subject: Patch: Invalid read while parsing known_hosts
- From: Tilo Eckert <tilo.eckert@xxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Fri, 12 Oct 2018 15:53:32 +0200
- To: libssh@xxxxxxxxxx
Hi, two patches are attached. The first one fixes an invalid read when parsing lines from the known_hosts file, which was introduced by commit 21962d. The bug causes host keys sent by the server to be randomly rejected. For the average known_hosts line, the tokens array in ssh_get_knownhost_line() contains four tokens, with tokens[3]=NULL. However, tokens[4] is accessed for token validation, which is beyond the end of the tokens array, resulting in valid host lines being dropped randomly. The patch completely removes the related check because the optional comment field may contain whitespace which would result in an arbitrary number of tokens. Hence, token count >= 3 implies a correctly formatted known_hosts line. The other patch fixes a type re-declaration issue which causes errors on some compilers. Regards Tilo Eckert
From 51e6d99d53473e5b6c50a04290684d0970c8c1d6 Mon Sep 17 00:00:00 2001
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Date: Fri, 12 Oct 2018 15:15:00 +0200
Subject: [PATCH 1/2] knownhosts: Fix invalid read of known_hosts token
Fixes invalid read introduced by commit 21962d.
Accessing tokens[4] for a known_hosts line of
three tokens led to randomly rejected host keys.
This commit completely removes the check because
the optional comments field may contain whitespace.
Signed-off-by: Tilo Eckert <tilo.eckert@xxxxxxx>
---
src/known_hosts.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/src/known_hosts.c b/src/known_hosts.c
index f52f74b3..407e1de5 100644
--- a/src/known_hosts.c
+++ b/src/known_hosts.c
@@ -131,17 +131,13 @@ static char **ssh_get_knownhost_line(FILE **file, const char *filename,
return NULL;
}
- if(!tokens[0] || !tokens[1] || !tokens[2]) {
+ if(tokens[0] == NULL || tokens[1] == NULL || tokens[2] == NULL) {
/* it should have at least 3 tokens */
tokens_free(tokens);
continue;
}
*found_type = tokens[1];
- if (tokens[3] || tokens[4]) {
- tokens_free(tokens);
- continue;
- }
return tokens;
}
--
2.18.0
From 0fc8625fe5fbfe3532f3277baadd7a1ae4693ebe Mon Sep 17 00:00:00 2001 From: Tilo Eckert <tilo.eckert@xxxxxxx> Date: Fri, 12 Oct 2018 15:22:45 +0200 Subject: [PATCH 2/2] chacha: remove re-declared type re-declaring typedefs are not supported by some compilers Signed-off-by: Tilo Eckert <tilo.eckert@xxxxxxx> --- src/external/chacha.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/external/chacha.c b/src/external/chacha.c index e47a6328..8d1ccca6 100644 --- a/src/external/chacha.c +++ b/src/external/chacha.c @@ -10,8 +10,6 @@ Public domain. #include "libssh/chacha.h" -typedef unsigned int uint32_t; - typedef struct chacha_ctx chacha_ctx; #define U8C(v) (v##U) -- 2.18.0
| Re: Patch: Invalid read while parsing known_hosts | Andreas Schneider <asn@xxxxxxxxxxxxxx> |