Re: [libssh2] [ libssh2-Bugs-2665432 ] auth_cookie generation is broken (channel_x11_req)

[Peter Stuge]

Peter Stuge wrote:
> Suggested patch attached.

Oops. Maybe malloc() is not such a good idea. Updated patch attached.


//Peter

Index: src/channel.c
===================================================================
RCS file: /cvsroot/libssh2/libssh2/src/channel.c,v
retrieving revision 1.72
diff -u -r1.72 channel.c
--- src/channel.c       7 Mar 2009 22:08:05 -0000       1.72
+++ src/channel.c       8 Mar 2009 11:47:04 -0000
@@ -1093,16 +1093,29 @@
             memcpy(s, auth_cookie, cookie_len);
         } else {
             int i;
-            /* note: the extra +1 below is necessary since the sprintf()
-               loop will always write 3 bytes so the last one will write
-               the trailing zero at the LIBSSH2_X11_RANDOM_COOKIE_LEN/2
-               border */
-            unsigned char buffer[(LIBSSH2_X11_RANDOM_COOKIE_LEN / 2) +1];
+            unsigned char *buffer =
+                LIBSSH2_ALLOC(session, (cookie_len + 1) / 2);
+            if (!buffer) {
+                libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                              "Unable to allocate memory for X11 cookie", 0);
+                return -1;
+            }
 
-            libssh2_random(buffer, LIBSSH2_X11_RANDOM_COOKIE_LEN / 2);
-            for(i = 0; i < (LIBSSH2_X11_RANDOM_COOKIE_LEN / 2); i++) {
+            libssh2_random(buffer, sizeof(buffer));
+
+            /* When cookie_len is an odd number, this will actually write
+             * cookie_len+1 hex digits into s. A little sloppy but still safe,
+             * because there is room in s also for the screen_number.
+             * 
+             * cookie_len is not changed (and must not be, because it has
+             * already been written to the packet before coming here) so any
+             * superflous hex digits are overwritten with screen_number below.
+             */
+            for(i = 0; i < sizeof(buffer); i++) {
                 sprintf((char *)&s[i*2], "%02X", buffer[i]);
             }
+            memset(buffer, 0, sizeof(buffer));
+            LIBSSH2_FREE(session, buffer);
         }
         s += cookie_len;
 

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
libssh2-devel mailing list
libssh2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel