openssh bugs - May 2015 - [Bug 2396] New: Out of bounds read when parsing EscapeChar configuration value

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

            Bug ID: 2396
           Summary: Out of bounds read when parsing EscapeChar
                    configuration value
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jaak+mindrot at ristioja.ee

An out of bounds memory read occurs during parsing the value for
EscapeChar in the following if-statement in readconf.c:1239:

  if (arg[0] == '^' && arg[2] == 0 &&
      (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)

This is erroneous because arg[2] might be one character off the end of
the string. I suggest the first two branches be rewritten as follows:

  if (arg[1] == 0) // was "else if (strlen(arg) == 1)"
      value = (u_char) arg[0];
  else if (arg[0] == '^' && arg[2] == 0 &&
      (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
      value = (u_char) arg[1] & 31;

This ensures that all single-character values are handled correctly and
arg[2] refers to accessible memory.



PS: As an unrelated comment I wish to mention that running ssh through
valgrind's memcheck seems to yield lots of results.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org
             Blocks|                            |2360

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
(In reply to Jaak Ristioja from comment #0)
> PS: As an unrelated comment I wish to mention that running ssh
> through valgrind's memcheck seems to yield lots of results.
There are some leaks, but there shouldn't be any memory faults. Please
report any that you see - we fix all memory errors that we see.

NB. OpenSSL's AES-NI support causes a lot of false positives under
valgrind - you might have to disable AES-NI using:

export OPENSSL_ia32cap="~0x200000200000000"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #2628|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2628
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2628&action=edit
reorder EscapeChar tests to avoid 1-byte OOB read

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2628|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
applied - this will be in OpenSSH 6.9, thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2396

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.