X-Git-Url: http://git.rot13.org/?p=bcm963xx.git;a=blobdiff_plain;f=userapps%2Fopensource%2Fsshd%2Fbuffer.c;h=97045ffcfc3acba3f05b86c9a7bd452e1197effb;hp=6eb6e1008fb59bfbf229276ddcabed06fd513a7b;hb=57a096f051259ceaefd5977f30d269884e1dd248;hpb=9887430fc6b7c0f8eb8e81de2bfe3bba12d8d4a1 diff --git a/userapps/opensource/sshd/buffer.c b/userapps/opensource/sshd/buffer.c index 6eb6e100..97045ffc 100755 --- a/userapps/opensource/sshd/buffer.c +++ b/userapps/opensource/sshd/buffer.c @@ -1,5 +1,5 @@ /* - * Dropbear - a SSH2 server + * Dropbear SSH * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. @@ -25,17 +25,40 @@ /* Buffer handling routines, designed to avoid overflows/using invalid data */ #include "includes.h" -#include "util.h" +#include "dbutil.h" #include "buffer.h" +/* Prevent integer overflows when incrementing buffer position/length. + * Calling functions should check arguments first, but this provides a + * backstop */ +#define BUF_MAX_INCR 1000000000 +#define BUF_MAX_SIZE 1000000000 + +/* avoid excessively large numbers, > ~8192 bits */ +#define BUF_MAX_MPINT (8240 / 8) + /* Create (malloc) a new buffer of size */ buffer* buf_new(unsigned int size) { - buffer* ret; + buffer* buf; - ret = (buffer*)m_malloc(sizeof(buffer)); - buf_init(ret, size); - return ret; + if (size > BUF_MAX_SIZE) { + dropbear_exit("buf->size too big"); + } + + buf = (buffer*)m_malloc(sizeof(buffer)); + + if (size > 0) { + buf->data = (unsigned char*)m_malloc(size); + } else { + buf->data = NULL; + } + + buf->size = size; + buf->pos = 0; + buf->len = 0; + + return buf; } @@ -53,24 +76,14 @@ void buf_burn(buffer* buf) { } -/* initialise an already allocated buffer. The data won't be freed before - * malloc */ -void buf_init(buffer* buf, unsigned int size) { +/* resize a buffer, pos and len will be repositioned if required when + * downsizing */ +void buf_resize(buffer *buf, unsigned int newsize) { - if (size > 0) { - buf->data = (unsigned char*)m_malloc(size); - } else { - buf->data = NULL; + if (newsize > BUF_MAX_SIZE) { + dropbear_exit("buf->size too big"); } - buf->size = size; - buf->pos = 0; - buf->len = 0; -} - -/* resize a buffer, pos and len will be repositioned if required */ -void buf_resize(buffer *buf, unsigned int newsize) { - buf->data = m_realloc(buf->data, newsize); buf->size = newsize; buf->len = MIN(newsize, buf->len); @@ -78,11 +91,8 @@ void buf_resize(buffer *buf, unsigned int newsize) { } -/* create a copy of buf, allocating required memory etc */ -/* the new buffer is sized the same as the length of the source buffer */ -/* lenonly is a boolean flag specifying whether to set the size of the new - * buffer to be just the len of the source buffer (1), or the size of the - * source buffer (0) */ +/* Create a copy of buf, allocating required memory etc. */ +/* The new buffer is sized the same as the length of the source buffer. */ buffer* buf_newcopy(buffer* buf) { buffer* ret; @@ -103,7 +113,7 @@ void buf_setlen(buffer* buf, unsigned int len) { /* Increment the length of the buffer */ void buf_incrlen(buffer* buf, unsigned int incr) { - if (buf->len + incr > buf->size) { + if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) { dropbear_exit("bad buf_incrlen"); } buf->len += incr; @@ -119,7 +129,7 @@ void buf_setpos(buffer* buf, unsigned int pos) { /* increment the postion by incr, increasing the buffer length if required */ void buf_incrwritepos(buffer* buf, unsigned int incr) { - if (buf->pos + incr > buf->size) { + if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) { dropbear_exit("bad buf_incrwritepos"); } buf->pos += incr; @@ -131,7 +141,8 @@ void buf_incrwritepos(buffer* buf, unsigned int incr) { /* increment the position by incr, negative values are allowed, to * decrement the pos*/ void buf_incrpos(buffer* buf, int incr) { - if ((unsigned int)((int)buf->pos + incr) > buf->len + if (incr > BUF_MAX_INCR || + (unsigned int)((int)buf->pos + incr) > buf->len || ((int)buf->pos + incr) < 0) { dropbear_exit("bad buf_incrpos"); } @@ -141,12 +152,24 @@ void buf_incrpos(buffer* buf, int incr) { /* Get a byte from the buffer and increment the pos */ unsigned char buf_getbyte(buffer* buf) { + /* This check is really just ==, but the >= allows us to check for the + * assert()able case of pos > len, which should _never_ happen. */ if (buf->pos >= buf->len) { dropbear_exit("bad buf_getbyte"); } return buf->data[buf->pos++]; } +/* Get a bool from the buffer and increment the pos */ +unsigned char buf_getbool(buffer* buf) { + + unsigned char b; + b = buf_getbyte(buf); + if (b != 0) + b = 1; + return b; +} + /* put a byte, incrementing the length if required */ void buf_putbyte(buffer* buf, unsigned char val) { @@ -157,7 +180,8 @@ void buf_putbyte(buffer* buf, unsigned char val) { buf->pos++; } -/* returns an in-place pointer to the buffer, for boundschecking */ +/* returns an in-place pointer to the buffer, checking that + * the next len bytes from that position can be used */ unsigned char* buf_getptr(buffer* buf, unsigned int len) { if (buf->pos + len > buf->len) { @@ -176,7 +200,7 @@ unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { return &buf->data[buf->pos]; } -/* return a null-terminated string, it is malloced, so must be free()ed +/* Return a null-terminated string, it is malloced, so must be free()ed * Note that the string isn't checked for null bytes, hence the retlen * may be longer than what is returned by strlen */ unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) { @@ -199,6 +223,13 @@ unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) { return ret; } +/* Just increment the buffer position the same as if we'd used buf_getstring, + * but don't bother copying/malloc()ing for it */ +void buf_eatstring(buffer *buf) { + + buf_incrpos( buf, buf_getint(buf) ); +} + /* Get an uint32 from the buffer and increment the pos */ unsigned int buf_getint(buffer* buf) { unsigned int ret; @@ -237,7 +268,7 @@ void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) { void buf_putmpint(buffer* buf, mp_int * mp) { unsigned int len, pad = 0; - TRACE(("enter buf_putmpint")); + TRACE(("enter buf_putmpint")) assert(mp != NULL); @@ -273,7 +304,7 @@ void buf_putmpint(buffer* buf, mp_int * mp) { buf_incrwritepos(buf, len-pad); } - TRACE(("leave buf_putmpint")); + TRACE(("leave buf_putmpint")) } /* Retrieve an mp_int from the buffer. @@ -289,6 +320,10 @@ int buf_getmpint(buffer* buf, mp_int* mp) { return DROPBEAR_SUCCESS; } + if (len > BUF_MAX_MPINT) { + return DROPBEAR_FAILURE; + } + /* check for negative */ if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) { return DROPBEAR_FAILURE;