Issue #3007 has been updated by dillon. Status changed from New to Closed
There was one real bug here, the broken assignment. OpenSSH upstream already had the fix. Fix it in the DFly. The other three cases involving dangerous sscanf() calls cannot actually overflow due to the limited input buffer size. Document those cases but make not code change for t hem. Fix committed by Matt ---------------------------------------- Bug #3007: crypto/openssh: four problems http://bugs.dragonflybsd.org/issues/3007#change-13121 * Author: dcb * Status: Closed * Priority: Normal * Assignee: * Category: Crypto * Target version: ---------------------------------------- 1. dragonfly/crypto/openssh/ssh_api.c:361]: (warning) sscanf() without field width limits can crash with huge input data. Source code is if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) but char buf[256], remote_version[256]; /* must be same size! */ Suggest new code if (sscanf(buf, "SSH-%d.%d-%256[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) 2. dragonfly/crypto/openssh/sshconnect2.c:1623]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses. if ((r = sshbuf_put_u32(b, sock) != 0) || (r = sshbuf_put_string(b, data, datalen)) != 0) 3. dragonfly/crypto/openssh/sshconnect.c:629]: (warning) sscanf() without field width limits can crash with huge input data. if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) Suggest limit buffer size. 4. dragonfly/crypto/openssh/sshd.c:477]: (warning) sscanf() without field width limits can crash with huge input data. if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) { -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account