mirror of
https://git.libssh.org/projects/libssh.git
synced 2026-02-11 18:50:28 +09:00
Reproducer for out of bounds read of SFTP extensions
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
(cherry picked from commit b90b7f2451)
This commit is contained in:
Jakub Jelen
@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
|
|||||||
assert_non_null(s->ssh.tsftp);
|
assert_non_null(s->ssh.tsftp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void session_setup_extensions(void **state)
|
||||||
|
{
|
||||||
|
struct torture_state *s = *state;
|
||||||
|
struct passwd *pwd = NULL;
|
||||||
|
int rc, count;
|
||||||
|
const char *name = NULL, *data = NULL;
|
||||||
|
sftp_session sftp = NULL;
|
||||||
|
|
||||||
|
pwd = getpwnam("bob");
|
||||||
|
assert_non_null(pwd);
|
||||||
|
|
||||||
|
rc = setuid(pwd->pw_uid);
|
||||||
|
assert_return_code(rc, errno);
|
||||||
|
|
||||||
|
s->ssh.session = torture_ssh_session(s,
|
||||||
|
TORTURE_SSH_SERVER,
|
||||||
|
NULL,
|
||||||
|
TORTURE_SSH_USER_ALICE,
|
||||||
|
NULL);
|
||||||
|
assert_non_null(s->ssh.session);
|
||||||
|
|
||||||
|
s->ssh.tsftp = torture_sftp_session(s->ssh.session);
|
||||||
|
assert_non_null(s->ssh.tsftp);
|
||||||
|
sftp = s->ssh.tsftp->sftp;
|
||||||
|
|
||||||
|
/* null parameter */
|
||||||
|
count = sftp_extensions_get_count(NULL);
|
||||||
|
assert_int_equal(count, 0);
|
||||||
|
|
||||||
|
count = sftp_extensions_get_count(sftp);
|
||||||
|
assert_int_not_equal(count, 0);
|
||||||
|
|
||||||
|
/* first null parameter */
|
||||||
|
name = sftp_extensions_get_name(NULL, 0);
|
||||||
|
assert_null(name);
|
||||||
|
data = sftp_extensions_get_data(NULL, 0);
|
||||||
|
assert_null(data);
|
||||||
|
|
||||||
|
/* First extension */
|
||||||
|
name = sftp_extensions_get_name(sftp, 0);
|
||||||
|
assert_non_null(name);
|
||||||
|
data = sftp_extensions_get_data(sftp, 0);
|
||||||
|
assert_non_null(data);
|
||||||
|
|
||||||
|
/* Last extension */
|
||||||
|
name = sftp_extensions_get_name(sftp, count - 1);
|
||||||
|
assert_non_null(name);
|
||||||
|
data = sftp_extensions_get_data(sftp, count - 1);
|
||||||
|
assert_non_null(data);
|
||||||
|
|
||||||
|
/* Overrun */
|
||||||
|
name = sftp_extensions_get_name(sftp, count);
|
||||||
|
assert_null(name);
|
||||||
|
data = sftp_extensions_get_data(sftp, count);
|
||||||
|
assert_null(data);
|
||||||
|
}
|
||||||
|
|
||||||
static int session_teardown(void **state)
|
static int session_teardown(void **state)
|
||||||
{
|
{
|
||||||
struct torture_state *s = *state;
|
struct torture_state *s = *state;
|
||||||
@@ -92,7 +149,10 @@ int torture_run_tests(void) {
|
|||||||
session_teardown),
|
session_teardown),
|
||||||
cmocka_unit_test_setup_teardown(session_setup_channel,
|
cmocka_unit_test_setup_teardown(session_setup_channel,
|
||||||
NULL,
|
NULL,
|
||||||
session_teardown)
|
session_teardown),
|
||||||
|
cmocka_unit_test_setup_teardown(session_setup_extensions,
|
||||||
|
NULL,
|
||||||
|
session_teardown),
|
||||||
};
|
};
|
||||||
|
|
||||||
ssh_init();
|
ssh_init();
|
||||||
|
|||||||
Reference in New Issue
Block a user