shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 09:54:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

misc: Validate integers converted from the SSH banner

Browse Source 
BUG: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1181

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit d5d8349224)
This commit is contained in:
Andreas Schneider
2017-04-21 11:02:29 +02:00
parent 02c0a3b99b
commit 95b2dbbeca
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/misc.c
View File

@@ -846,7 +846,7 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
openssh = strstr(banner, "OpenSSH"); openssh = strstr(banner, "OpenSSH");
if (openssh != NULL) { if (openssh != NULL) {
int major, minor; unsigned int major, minor;
/* /*
* The banner is typical: * The banner is typical:
@@ -854,8 +854,22 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
* 012345678901234567890 * 012345678901234567890
*/ */
if (strlen(openssh) > 9) { if (strlen(openssh) > 9) {
major = strtol(openssh + 8, (char **) NULL, 10); major = strtoul(openssh + 8, (char **) NULL, 10);
if (major < 1 || major > 100) {
ssh_set_error(session,
SSH_FATAL,
"Invalid major version number: %s",
banner);
return -1;
}
minor = strtol(openssh + 10, (char **) NULL, 10); minor = strtol(openssh + 10, (char **) NULL, 10);
if (minor > 100) {
ssh_set_error(session,
SSH_FATAL,
"Invalid minor version number: %s",
banner);
return -1;
}
session->openssh = SSH_VERSION_INT(major, minor, 0); session->openssh = SSH_VERSION_INT(major, minor, 0);
SSH_LOG(SSH_LOG_RARE, SSH_LOG(SSH_LOG_RARE,
"We are talking to an OpenSSH client version: %d.%d (%x)", "We are talking to an OpenSSH client version: %d.%d (%x)",