shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-12 03:00:26 +09:00
Code Issues Packages Projects Releases Wiki Activity

Add memory error checking to key exchange functions.

Browse Source 
git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@317 7dcaeef0-15fb-0310-b436-a5af3365683c
This commit is contained in:
Andreas Schneider
2009-04-01 10:49:27 +00:00
parent 10afd9818c
commit 79e9eb53d4
2 changed files with 65 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
libssh/kex.c
View File

@@ -73,8 +73,14 @@ static char **tokenize(const char *chain){
char **tokens; char **tokens;
int n=1; int n=1;
int i=0; int i=0;
char *tmp = strdup(chain); char *tmp;
char *ptr = tmp; char *ptr;
tmp = strdup(chain);
if (tmp == NULL) {
return NULL;
}
ptr = tmp;
while(*ptr){ while(*ptr){
if(*ptr==','){ if(*ptr==','){
n++; n++;
@@ -84,6 +90,10 @@ static char **tokenize(const char *chain){
} }
/* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */ /* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */
tokens=malloc(sizeof(char *) * (n+1) ); /* +1 for the null */ tokens=malloc(sizeof(char *) * (n+1) ); /* +1 for the null */
if (tokens == NULL) {
SAFE_FREE(tmp);
return NULL;
}
ptr=tmp; ptr=tmp;
for(i=0;i<n;i++){ for(i=0;i<n;i++){
tokens[i]=ptr; tokens[i]=ptr;
@@ -100,8 +110,15 @@ char **space_tokenize(const char *chain){
char **tokens; char **tokens;
int n=1; int n=1;
int i=0; int i=0;
char *tmp = strdup(chain); char *tmp;
char *ptr = tmp; char *ptr;
tmp = strdup(chain);
if (tmp == NULL) {
return NULL;
}
ptr = tmp;
while(*ptr==' ') while(*ptr==' ')
++ptr; /* skip initial spaces */ ++ptr; /* skip initial spaces */
while(*ptr){ while(*ptr){
@@ -115,7 +132,11 @@ char **space_tokenize(const char *chain){
ptr++; ptr++;
} }
/* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */ /* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */
tokens=malloc(sizeof(char *) * (n+1) ); /* +1 for the null */ tokens = malloc(sizeof(char *) * (n + 1)); /* +1 for the null */
if (tokens == NULL) {
SAFE_FREE(tmp);
return NULL;
}
ptr=tmp; /* we don't pass the initial spaces because the "tmp" pointer is needed by the caller */ ptr=tmp; /* we don't pass the initial spaces because the "tmp" pointer is needed by the caller */
/* function to free the tokens. */ /* function to free the tokens. */
for(i=0;i<n;i++){ for(i=0;i<n;i++){
@@ -141,10 +162,21 @@ char *ssh_find_matching(const char *in_d, const char *what_d){
int i_in, i_what; int i_in, i_what;
char *ret; char *ret;
if( ! (in_d && what_d)) if ((in_d == NULL) || (what_d == NULL)) {
return NULL; /* don't deal with null args */ return NULL; /* don't deal with null args */
tok_in=tokenize(in_d); }
tok_what=tokenize(what_d);
tok_in = tokenize(in_d);
if (tok_in == NULL) {
return NULL;
}
tok_what = tokenize(what_d);
if (tok_what == NULL) {
SAFE_FREE(tok_in[0]);
SAFE_FREE(tok_in);
}
for(i_in=0; tok_in[i_in]; ++i_in){ for(i_in=0; tok_in[i_in]; ++i_in){
for(i_what=0; tok_what[i_what] ; ++i_what){ for(i_what=0; tok_what[i_what] ; ++i_what){
if(!strcmp(tok_in[i_in],tok_what[i_what])){ if(!strcmp(tok_in[i_in],tok_what[i_what])){
@@ -195,11 +227,19 @@ int ssh_get_kex(SSH_SESSION *session,int server_kex ){
} }
/* copy the server kex info into an array of strings */ /* copy the server kex info into an array of strings */
if(server_kex){ if(server_kex){
session->client_kex.methods=malloc( 10 * sizeof(char **)); session->client_kex.methods = malloc(10 * sizeof(char **));
if (session->client_kex.methods == NULL) {
leave_function();
return -1;
}
for(i=0;i<10;++i) for(i=0;i<10;++i)
session->client_kex.methods[i]=strings[i]; session->client_kex.methods[i]=strings[i];
} else { // client } else { // client
session->server_kex.methods=malloc( 10 * sizeof(char **)); session->server_kex.methods = malloc(10 * sizeof(char **));
if (session->server_kex.methods == NULL) {
leave_function();
return -1;
}
for(i=0;i<10;++i) for(i=0;i<10;++i)
session->server_kex.methods[i]=strings[i]; session->server_kex.methods[i]=strings[i];
} }
@@ -237,6 +277,11 @@ int set_kex(SSH_SESSION *session){
else else
ssh_get_random(client->cookie,16,0); ssh_get_random(client->cookie,16,0);
client->methods=malloc(10 * sizeof(char **)); client->methods=malloc(10 * sizeof(char **));
if (client->methods == NULL) {
ssh_set_error(session, SSH_FATAL, "No space left");
leave_function();
return -1;
}
memset(client->methods,0,10*sizeof(char **)); memset(client->methods,0,10*sizeof(char **));
for (i=0;i<10;i++){ for (i=0;i<10;i++){
if(!(wanted=options->wanted_methods[i])) if(!(wanted=options->wanted_methods[i]))

8
libssh/keyfiles.c
View File

@@ -848,6 +848,12 @@ static char **ssh_get_knownhost_line(SSH_SESSION *session,FILE **file, char *fil
if(!buffer[0] || buffer[0]=='#') if(!buffer[0] || buffer[0]=='#')
continue; /* skip empty lines */ continue; /* skip empty lines */
tokens=space_tokenize(buffer); tokens=space_tokenize(buffer);
if (tokens == NULL) {
fclose(*file);
*file = NULL;
leave_function();
return NULL;
}
if(!tokens[0] || !tokens[1] || !tokens[2]){ if(!tokens[0] || !tokens[1] || !tokens[2]){
/* it should have at least 3 tokens */ /* it should have at least 3 tokens */
tokens_free(tokens); tokens_free(tokens);
@@ -870,6 +876,8 @@ static char **ssh_get_knownhost_line(SSH_SESSION *session,FILE **file, char *fil
continue; continue;
} }
} }
fclose(*file);
*file = NULL;
leave_function(); leave_function();
return tokens; return tokens;
} }