openssh bugs - Jan 2021 - [Bug 3250] New: Integer overflow in ConnectTimeout

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

            Bug ID: 3250
           Summary: Integer overflow in ConnectTimeout
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: berardi.dav at gmail.com

Created attachment 3465
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3465&action=edit
Proposed Patch

Setting a high value for ConnectionTimeout option will make it
negative.  This will result in an integer overflow undetected by the
previous checks.

PoC: (ArchLinux GNU/Linux)
$ uname -a
Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43
+0000 x86_64 GNU/Linux

$ gcc --version
gcc (GCC) 10.2.0
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

$ clang --version
clang version 11.0.0
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
$ ./ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
$ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost
[1]    26360 abort (core dumped)  ./ssh -o ConnectTimeout=$((
0x80000000 )) localhost

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Davide Berardi <berardi.dav at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |berardi.dav at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
             Blocks|                            |3217


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3465|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org
   Attachment #3466|                            |ok?(djm at mindrot.org)
              Flags|                            |

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3466
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3466&action=edit
convtime return long -> int

THere a bit more to it than that.  convtime() returns -1 on error
including negative values, but it returns a long.  On a platform where
sizeof(int) != sizeof(long), convtime can accept a large positive value
that then wraps to negative.  I think the correct thing to do is to
change convtime to return int.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
patch has been applied and will be in 8.5 release.  thanks for the
report.

$ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost
command-line line 0: invalid time value.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andres at antai-group.com

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
*** Bug 3256 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3250

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3466|ok?(djm at mindrot.org)        |
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.