/*
- * Dropbear - a SSH2 server
+ * Dropbear SSH
*
* Copyright (c) 2002,2003 Matt Johnston
* All rights reserved.
/* Buffer handling routines, designed to avoid overflows/using invalid data */
#include "includes.h"
-#include "util.h"
+#include "dbutil.h"
#include "buffer.h"
+/* Prevent integer overflows when incrementing buffer position/length.
+ * Calling functions should check arguments first, but this provides a
+ * backstop */
+#define BUF_MAX_INCR 1000000000
+#define BUF_MAX_SIZE 1000000000
+
+/* avoid excessively large numbers, > ~8192 bits */
+#define BUF_MAX_MPINT (8240 / 8)
+
/* Create (malloc) a new buffer of size */
buffer* buf_new(unsigned int size) {
- buffer* ret;
+ buffer* buf;
- ret = (buffer*)m_malloc(sizeof(buffer));
- buf_init(ret, size);
- return ret;
+ if (size > BUF_MAX_SIZE) {
+ dropbear_exit("buf->size too big");
+ }
+
+ buf = (buffer*)m_malloc(sizeof(buffer));
+
+ if (size > 0) {
+ buf->data = (unsigned char*)m_malloc(size);
+ } else {
+ buf->data = NULL;
+ }
+
+ buf->size = size;
+ buf->pos = 0;
+ buf->len = 0;
+
+ return buf;
}
}
-/* initialise an already allocated buffer. The data won't be freed before
- * malloc */
-void buf_init(buffer* buf, unsigned int size) {
+/* resize a buffer, pos and len will be repositioned if required when
+ * downsizing */
+void buf_resize(buffer *buf, unsigned int newsize) {
- if (size > 0) {
- buf->data = (unsigned char*)m_malloc(size);
- } else {
- buf->data = NULL;
+ if (newsize > BUF_MAX_SIZE) {
+ dropbear_exit("buf->size too big");
}
- buf->size = size;
- buf->pos = 0;
- buf->len = 0;
-}
-
-/* resize a buffer, pos and len will be repositioned if required */
-void buf_resize(buffer *buf, unsigned int newsize) {
-
buf->data = m_realloc(buf->data, newsize);
buf->size = newsize;
buf->len = MIN(newsize, buf->len);
}
-/* create a copy of buf, allocating required memory etc */
-/* the new buffer is sized the same as the length of the source buffer */
-/* lenonly is a boolean flag specifying whether to set the size of the new
- * buffer to be just the len of the source buffer (1), or the size of the
- * source buffer (0) */
+/* Create a copy of buf, allocating required memory etc. */
+/* The new buffer is sized the same as the length of the source buffer. */
buffer* buf_newcopy(buffer* buf) {
buffer* ret;
/* Increment the length of the buffer */
void buf_incrlen(buffer* buf, unsigned int incr) {
- if (buf->len + incr > buf->size) {
+ if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
dropbear_exit("bad buf_incrlen");
}
buf->len += incr;
/* increment the postion by incr, increasing the buffer length if required */
void buf_incrwritepos(buffer* buf, unsigned int incr) {
- if (buf->pos + incr > buf->size) {
+ if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
dropbear_exit("bad buf_incrwritepos");
}
buf->pos += incr;
/* increment the position by incr, negative values are allowed, to
* decrement the pos*/
void buf_incrpos(buffer* buf, int incr) {
- if ((unsigned int)((int)buf->pos + incr) > buf->len
+ if (incr > BUF_MAX_INCR ||
+ (unsigned int)((int)buf->pos + incr) > buf->len
|| ((int)buf->pos + incr) < 0) {
dropbear_exit("bad buf_incrpos");
}
/* Get a byte from the buffer and increment the pos */
unsigned char buf_getbyte(buffer* buf) {
+ /* This check is really just ==, but the >= allows us to check for the
+ * assert()able case of pos > len, which should _never_ happen. */
if (buf->pos >= buf->len) {
dropbear_exit("bad buf_getbyte");
}
return buf->data[buf->pos++];
}
+/* Get a bool from the buffer and increment the pos */
+unsigned char buf_getbool(buffer* buf) {
+
+ unsigned char b;
+ b = buf_getbyte(buf);
+ if (b != 0)
+ b = 1;
+ return b;
+}
+
/* put a byte, incrementing the length if required */
void buf_putbyte(buffer* buf, unsigned char val) {
buf->pos++;
}
-/* returns an in-place pointer to the buffer, for boundschecking */
+/* returns an in-place pointer to the buffer, checking that
+ * the next len bytes from that position can be used */
unsigned char* buf_getptr(buffer* buf, unsigned int len) {
if (buf->pos + len > buf->len) {
return &buf->data[buf->pos];
}
-/* return a null-terminated string, it is malloced, so must be free()ed
+/* Return a null-terminated string, it is malloced, so must be free()ed
* Note that the string isn't checked for null bytes, hence the retlen
* may be longer than what is returned by strlen */
unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
return ret;
}
+/* Just increment the buffer position the same as if we'd used buf_getstring,
+ * but don't bother copying/malloc()ing for it */
+void buf_eatstring(buffer *buf) {
+
+ buf_incrpos( buf, buf_getint(buf) );
+}
+
/* Get an uint32 from the buffer and increment the pos */
unsigned int buf_getint(buffer* buf) {
unsigned int ret;
void buf_putmpint(buffer* buf, mp_int * mp) {
unsigned int len, pad = 0;
- TRACE(("enter buf_putmpint"));
+ TRACE(("enter buf_putmpint"))
assert(mp != NULL);
buf_incrwritepos(buf, len-pad);
}
- TRACE(("leave buf_putmpint"));
+ TRACE(("leave buf_putmpint"))
}
/* Retrieve an mp_int from the buffer.
return DROPBEAR_SUCCESS;
}
+ if (len > BUF_MAX_MPINT) {
+ return DROPBEAR_FAILURE;
+ }
+
/* check for negative */
if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
return DROPBEAR_FAILURE;