https://bugzilla.mindrot.org/show_bug.cgi?id=2396
Bug ID: 2396
Summary: Out of bounds read when parsing EscapeChar
configuration value
Product: Portable OpenSSH
Version: 6.8p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: [email protected]
Reporter: [email protected]
An out of bounds memory read occurs during parsing the value for
EscapeChar in the following if-statement in readconf.c:1239:
if (arg[0] == '^' && arg[2] == 0 &&
(u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
This is erroneous because arg[2] might be one character off the end of
the string. I suggest the first two branches be rewritten as follows:
if (arg[1] == 0) // was "else if (strlen(arg) == 1)"
value = (u_char) arg[0];
else if (arg[0] == '^' && arg[2] == 0 &&
(u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
value = (u_char) arg[1] & 31;
This ensures that all single-character values are handled correctly and
arg[2] refers to accessible memory.
PS: As an unrelated comment I wish to mention that running ssh through
valgrind's memcheck seems to yield lots of results.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
