[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Patch: Invalid read while parsing known_hosts


Hi,

two patches are attached.

The first one fixes an invalid read when parsing lines from the
known_hosts file, which was introduced by commit 21962d. The bug causes
host keys sent by the server to be randomly rejected. For the average
known_hosts line, the tokens array in ssh_get_knownhost_line() contains
four tokens, with tokens[3]=NULL. However, tokens[4] is accessed for
token validation, which is beyond the end of the tokens array, resulting
in valid host lines being dropped randomly.

The patch completely removes the related check because the optional
comment field may contain whitespace which would result in an arbitrary
number of tokens. Hence, token count >= 3 implies a correctly formatted
known_hosts line.

The other patch fixes a type re-declaration issue which causes errors on
some compilers.

Regards
Tilo Eckert
From 51e6d99d53473e5b6c50a04290684d0970c8c1d6 Mon Sep 17 00:00:00 2001
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Date: Fri, 12 Oct 2018 15:15:00 +0200
Subject: [PATCH 1/2] knownhosts: Fix invalid read of known_hosts token

Fixes invalid read introduced by commit 21962d.
Accessing tokens[4] for a known_hosts line of
three tokens led to randomly rejected host keys.

This commit completely removes the check because
the optional comments field may contain whitespace.

Signed-off-by: Tilo Eckert <tilo.eckert@xxxxxxx>
---
 src/known_hosts.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/known_hosts.c b/src/known_hosts.c
index f52f74b3..407e1de5 100644
--- a/src/known_hosts.c
+++ b/src/known_hosts.c
@@ -131,17 +131,13 @@ static char **ssh_get_knownhost_line(FILE **file, const char *filename,
       return NULL;
     }
 
-    if(!tokens[0] || !tokens[1] || !tokens[2]) {
+    if(tokens[0] == NULL || tokens[1] == NULL || tokens[2] == NULL) {
       /* it should have at least 3 tokens */
       tokens_free(tokens);
       continue;
     }
 
     *found_type = tokens[1];
-    if (tokens[3] || tokens[4]) {
-      tokens_free(tokens);
-      continue;
-    }
 
     return tokens;
   }
-- 
2.18.0

From 0fc8625fe5fbfe3532f3277baadd7a1ae4693ebe Mon Sep 17 00:00:00 2001
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Date: Fri, 12 Oct 2018 15:22:45 +0200
Subject: [PATCH 2/2] chacha: remove re-declared type

re-declaring typedefs are not supported by some compilers

Signed-off-by: Tilo Eckert <tilo.eckert@xxxxxxx>
---
 src/external/chacha.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/external/chacha.c b/src/external/chacha.c
index e47a6328..8d1ccca6 100644
--- a/src/external/chacha.c
+++ b/src/external/chacha.c
@@ -10,8 +10,6 @@ Public domain.
 
 #include "libssh/chacha.h"
 
-typedef unsigned int uint32_t;
-
 typedef struct chacha_ctx chacha_ctx;
 
 #define U8C(v) (v##U)
-- 
2.18.0


Follow-Ups:
Re: Patch: Invalid read while parsing known_hostsAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org