Update ChangeLog.

Verify the length of decrypt operation is a multiple of blocksize

CMakeLists.txt

@@ -6,13 +6,13 @@ cmake_minimum_required(VERSION 2.6.0)
 # global needed variables
 set(APPLICATION_NAME ${PROJECT_NAME})
 
-set(APPLICATION_VERSION "0.3.3")
+set(APPLICATION_VERSION "0.3.4")
 
 set(APPLICATION_VERSION_MAJOR "0")
 set(APPLICATION_VERSION_MINOR "3")
-set(APPLICATION_VERSION_PATCH "3")
+set(APPLICATION_VERSION_PATCH "4")
 
-set(LIBRARY_VERSION "3.3.0")
+set(LIBRARY_VERSION "3.4.0")
 set(LIBRARY_SOVERSION "3")
 
 # where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked

CPackConfig.cmake

@@ -15,7 +15,7 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_SOURCE_DIR}/COPYING")
 ### versions
 set(CPACK_PACKAGE_VERSION_MAJOR "0")
 set(CPACK_PACKAGE_VERSION_MINOR "3")
-set(CPACK_PACKAGE_VERSION_PATCH "3")
+set(CPACK_PACKAGE_VERSION_PATCH "4")
 set(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
 
 

ChangeLog

@@ -1,6 +1,16 @@
 ChangeLog
 ==========
 
+version 0.3.4 (released 2009-09-14)
+  * Added ssh_basename and ssh_dirname.
+  * Added a portable ssh_mkdir function.
+  * Added a sftp_tell64() function.
+  * Added missing NULL pointer checks to crypt_set_algorithms_server.
+  * Fixed ssh_write_knownhost if ~/.ssh doesn't exist.
+  * Fixed a possible integer overflow in buffer_get_data().
+  * Fixed possible security bug in packet_decrypt().
+  * Fixed a possible stack overflow in agent code.
+
 version 0.3.3 (released 2009-08-18)
   * Fixed double free pointer crash in dsa_public_to_string.
   * Fixed channel_get_exit_status bug.

include/libssh/libssh.h

@@ -51,7 +51,7 @@ typedef unsigned long long uint64_t;
 /* libssh version */
 #define LIBSSH_VERSION_MAJOR  0
 #define LIBSSH_VERSION_MINOR  3
-#define LIBSSH_VERSION_MICRO  3
+#define LIBSSH_VERSION_MICRO  4
 
 #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
                                            LIBSSH_VERSION_MINOR, \
@@ -373,6 +373,10 @@ const char *ssh_userauth_kbdint_getprompt(SSH_SESSION *session, unsigned int i,
 int ssh_userauth_kbdint_setanswer(SSH_SESSION *session, unsigned int i,
     const char *answer);
 
+/* misc.c */
+int ssh_mkdir (const char *pathname, mode_t mode);
+char *ssh_dirname (const char *path);
+char *ssh_basename (const char *path);
 
 /* init.c */
 int ssh_init(void);

include/libssh/sftp.h

@@ -469,6 +469,17 @@ int sftp_seek64(SFTP_FILE *file, u64 new_offset);
  */
 unsigned long sftp_tell(SFTP_FILE *file);
 
+/**
+ * @brief Report current byte position in file.
+ *
+ * @param file          Open sftp file handle.
+ *
+ * @return              The offset of the current byte relative to the beginning
+ *                      of the file associated with the file descriptor. < 0 on
+ *                      error.
+ */
+u64 sftp_tell64(SFTP_FILE *file);
+
 /**
  * @brief Rewinds the position of the file pointer to the beginning of the
  * file.

libssh/agent.c

@@ -210,10 +210,7 @@ static int agent_talk(struct ssh_session *session,
 
   /* send length and then the request packet */
   if (atomicio(session->agent->sock, payload, 4, 0) == 4) {
-    buffer_get_data(request, payload, len);
-    ssh_log(session, SSH_LOG_PACKET,
-        "agent_talk - sending request, payload[0] = %u", payload[0]);
-    if (atomicio(session->agent->sock, payload, len, 0)
+    if (atomicio(session->agent->sock, buffer_get_rest(request), len, 0)
         != len) {
       ssh_log(session, SSH_LOG_PACKET, "atomicio sending request failed: %s",
           strerror(errno));

libssh/buffer.c

@@ -298,8 +298,13 @@ u32 buffer_pass_bytes_end(struct buffer_struct *buffer, u32 len){
  * \returns len otherwise.
  */
 u32 buffer_get_data(struct buffer_struct *buffer, void *data, u32 len){
-    if(buffer->pos+len>buffer->used)
-        return 0;  /*no enough data in buffer */
+    /*
+     * Check for a integer overflow first, then check if not enough data is in
+     * the buffer.
+     */
+    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+      return 0;
+    }
     memcpy(data,buffer->data+buffer->pos,len);
     buffer->pos+=len;
     return len;   /* no yet support for partial reads (is it really needed ?? ) */

libssh/crypt.c

@@ -60,7 +60,10 @@ u32 packet_decrypt_len(SSH_SESSION *session, char *crypted){
 int packet_decrypt(SSH_SESSION *session, void *data,u32 len) {
   struct crypto_struct *crypto = session->current_crypto->in_cipher;
   char *out = NULL;
-
+  if(len % session->current_crypto->in_cipher->blocksize != 0){
+    ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+    return SSH_ERROR;
+  }
   out = malloc(len);
   if (out == NULL) {
     return -1;
@@ -100,7 +103,10 @@ unsigned char *packet_encrypt(SSH_SESSION *session, void *data, u32 len) {
   if (!session->current_crypto) {
     return NULL; /* nothing to do here */
   }
-
+  if(len % session->current_crypto->in_cipher->blocksize != 0){
+      ssh_set_error(session, SSH_FATAL, "Cryptographic functions must be set on at least one blocksize (received %d)",len);
+      return NULL;
+  }
   out = malloc(len);
   if (out == NULL) {
     return NULL;

libssh/keyfiles.c

@@ -22,13 +22,15 @@
  * MA 02111-1307, USA.
  */
 
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include <stdio.h>
 #include <string.h>
-#include <errno.h>
 #include <unistd.h>
 #include <stdlib.h>
-#include <fcntl.h>
-#include <ctype.h>
 
 #ifndef _WIN32
 #include <arpa/inet.h>
@@ -1447,6 +1449,7 @@ int ssh_write_knownhost(SSH_SESSION *session) {
   unsigned char *pubkey_64;
   char buffer[4096] = {0};
   FILE *file;
+  char *dir;
   size_t len = 0;
 
   if (ssh_options_default_known_hosts_file(session->options) < 0) {
@@ -1460,6 +1463,22 @@ int ssh_write_knownhost(SSH_SESSION *session) {
     return -1;
   }
 
+  /* Check if ~/.ssh exists and create it if not */
+  dir = ssh_dirname(session->options->known_hosts_file);
+  if (dir == NULL) {
+    ssh_set_error(session, SSH_FATAL, "%s", strerror(errno));
+    return -1;
+  }
+  if (! ssh_file_readaccess_ok(dir)) {
+    if (ssh_mkdir(dir, 0700) < 0) {
+      ssh_set_error(session, SSH_FATAL,
+          "Cannot create %s directory.", dir);
+      SAFE_FREE(dir);
+      return -1;
+    }
+  }
+  SAFE_FREE(dir);
+
   file = fopen(session->options->known_hosts_file, "a");
   if (file == NULL) {
     ssh_set_error(session, SSH_FATAL,

libssh/libssh.map

@@ -104,6 +104,9 @@ SSH_0.3 {
     ssh_get_random;
     ssh_get_status;
     ssh_get_version;
+    ssh_mkdir;
+    ssh_basename;
+    ssh_dirname;
     ssh_init;
     ssh_is_server_known;
     ssh_log;

libssh/misc.c

@@ -27,6 +27,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <stdlib.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 
 #include "config.h"
@@ -35,6 +36,7 @@
 #define _WIN32_IE 0x0400 //SHGetSpecialFolderPath
 #include <shlobj.h>
 #include <winsock2.h>
+#include <direct.h>
 #else
 #include <pwd.h>
 #include <arpa/inet.h>
@@ -149,5 +151,137 @@ const char *ssh_version(int req_version) {
   return NULL;
 }
 
+/**
+ * @brief Parse directory component.
+ *
+ * dirname breaks a null-terminated pathname string into a directory component.
+ * In the usual case, ssh_dirname() returns the string up to, but not including,
+ * the final '/'. Trailing '/' characters are  not  counted as part of the
+ * pathname. The caller must free the memory.
+ *
+ * @param path  The path to parse.
+ *
+ * @return  The dirname of path or NULL if we can't allocate memory. If path
+ *          does not contain a slash, c_dirname() returns the string ".".  If
+ *          path is the string "/", it returns the string "/". If path is
+ *          NULL or an empty string, "." is returned.
+ */
+char *ssh_dirname (const char *path) {
+  char *new = NULL;
+  unsigned int len;
+
+  if (path == NULL || *path == '\0') {
+    return strdup(".");
+  }
+
+  len = strlen(path);
+
+  /* Remove trailing slashes */
+  while(len > 0 && path[len - 1] == '/') --len;
+
+  /* We have only slashes */
+  if (len == 0) {
+    return strdup("/");
+  }
+
+  /* goto next slash */
+  while(len > 0 && path[len - 1] != '/') --len;
+
+  if (len == 0) {
+    return strdup(".");
+  } else if (len == 1) {
+    return strdup("/");
+  }
+
+  /* Remove slashes again */
+  while(len > 0 && path[len - 1] == '/') --len;
+
+  new = malloc(len + 1);
+  if (new == NULL) {
+    return NULL;
+  }
+
+  strncpy(new, path, len);
+  new[len] = '\0';
+
+  return new;
+}
+
+/**
+ * @brief basename - parse filename component.
+ *
+ * basename breaks a null-terminated pathname string into a filename component.
+ * ssh_basename() returns the component following the final '/'.  Trailing '/'
+ * characters are not counted as part of the pathname.
+ *
+ * @param path The path to parse.
+ *
+ * @return  The filename of path or NULL if we can't allocate memory. If path
+ *          is a the string "/", basename returns the string "/". If path is
+ *          NULL or an empty string, "." is returned.
+ */
+char *ssh_basename (const char *path) {
+  char *new = NULL;
+  const char *s;
+  unsigned int len;
+
+  if (path == NULL || *path == '\0') {
+    return strdup(".");
+  }
+
+  len = strlen(path);
+  /* Remove trailing slashes */
+  while(len > 0 && path[len - 1] == '/') --len;
+
+  /* We have only slashes */
+  if (len == 0) {
+    return strdup("/");
+  }
+
+  while(len > 0 && path[len - 1] != '/') --len;
+
+  if (len > 0) {
+    s = path + len;
+    len = strlen(s);
+
+    while(len > 0 && s[len - 1] == '/') --len;
+  } else {
+    return strdup(path);
+  }
+
+  new = malloc(len + 1);
+  if (new == NULL) {
+    return NULL;
+  }
+
+  strncpy(new, s, len);
+  new[len] = '\0';
+
+  return new;
+}
+
+/**
+ * @brief Attempts to create a directory with the given pathname.
+ *
+ * This is the portable version of mkdir, mode is ignored on Windows systems.
+ *
+ * @param  pathname     The path name to create the directory.
+ *
+ * @param  mode         The permissions to use.
+ *
+ * @return 0 on success, < 0 on error with errno set.
+ */
+int ssh_mkdir(const char *pathname, mode_t mode) {
+  int r;
+
+#ifdef _WIN32
+  r = _mkdir(pathname);
+#else
+  r = mkdir(pathname, mode);
+#endif
+
+  return r;
+}
+
 /** @} */
 /* vim: set ts=2 sw=2 et cindent: */

libssh/sftp.c

@@ -1777,7 +1777,11 @@ int sftp_seek64(SFTP_FILE *file, u64 new_offset) {
 
 /* Report current byte position in file. */
 unsigned long sftp_tell(SFTP_FILE *file) {
-  return file->offset;
+  return (unsigned long)file->offset;
+}
+/* Report current byte position in file. */
+u64 sftp_tell64(SFTP_FILE *file) {
+  return (u64)file->offset;
 }
 
 /* Rewinds the position of the file pointer to the beginning of the file.*/

libssh/wrapper.c

@@ -901,7 +901,7 @@ int crypt_set_algorithms_server(SSH_SESSION *session){
     /* out */
     server = session->server_kex.methods[SSH_CRYPT_S_C];
     client = session->client_kex.methods[SSH_CRYPT_S_C];
-    match = ssh_find_matching(client,server);
+    match = ssh_find_matching(client, server);
 
     if(!match){
         ssh_set_error(session,SSH_FATAL,"Crypt_set_algorithms_server : no matching algorithm function found for %s",server);
@@ -963,8 +963,8 @@ int crypt_set_algorithms_server(SSH_SESSION *session){
         ssh_log(session,SSH_LOG_PACKET,"enabling C->S compression");
         session->next_crypto->do_compress_in=1;
     }
-    free(match);
-    
+    SAFE_FREE(match);
+
     client=session->client_kex.methods[SSH_CRYPT_S_C];
     server=session->server_kex.methods[SSH_CRYPT_S_C];
     match=ssh_find_matching(client,server);
@@ -972,22 +972,23 @@ int crypt_set_algorithms_server(SSH_SESSION *session){
         ssh_log(session,SSH_LOG_PACKET,"enabling S->C compression\n");
         session->next_crypto->do_compress_out=1;
     }
-    free(match);
-    
+    SAFE_FREE(match);
+
     server=session->server_kex.methods[SSH_HOSTKEYS];
     client=session->client_kex.methods[SSH_HOSTKEYS];
     match=ssh_find_matching(client,server);
-    if(!strcmp(match,"ssh-dss"))
+    if(match && !strcmp(match,"ssh-dss"))
         session->hostkeys=TYPE_DSS;
-    else if(!strcmp(match,"ssh-rsa"))
+    else if(match && !strcmp(match,"ssh-rsa"))
         session->hostkeys=TYPE_RSA;
     else {
-        ssh_set_error(session,SSH_FATAL,"cannot know what %s is into %s",match,server);
-        free(match);
+        ssh_set_error(session, SSH_FATAL, "Cannot know what %s is into %s",
+            match ? match : NULL, server);
+        SAFE_FREE(match);
         leave_function();
         return SSH_ERROR;
     }
-    free(match);
+    SAFE_FREE(match);
     leave_function();
     return SSH_OK;
 }