bugzilla-daemon at mindrot.org
2021-Jan-10 09:04 UTC
[Bug 3250] New: Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Bug ID: 3250 Summary: Integer overflow in ConnectTimeout Product: Portable OpenSSH Version: 8.4p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: berardi.dav at gmail.com Created attachment 3465 --> https://bugzilla.mindrot.org/attachment.cgi?id=3465&action=edit Proposed Patch Setting a high value for ConnectionTimeout option will make it negative. This will result in an integer overflow undetected by the previous checks. PoC: (ArchLinux GNU/Linux) $ uname -a Linux haigha 5.10.5-arch1-1 #1 SMP PREEMPT Thu, 07 Jan 2021 09:50:43 +0000 x86_64 GNU/Linux $ gcc --version gcc (GCC) 10.2.0 Copyright (C) 2020 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ clang --version clang version 11.0.0 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/bin $ ./ssh -V OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020 $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost [1] 26360 abort (core dumped) ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-10 09:06 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Davide Berardi <berardi.dav at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |berardi.dav at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-11 00:32 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Blocks| |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-11 00:37 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3465|0 |1 is obsolete| | CC| |djm at mindrot.org Attachment #3466| |ok?(djm at mindrot.org) Flags| | --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3466 --> https://bugzilla.mindrot.org/attachment.cgi?id=3466&action=edit convtime return long -> int THere a bit more to it than that. convtime() returns -1 on error including negative values, but it returns a long. On a platform where sizeof(int) != sizeof(long), convtime can accept a large positive value that then wraps to negative. I think the correct thing to do is to change convtime to return int. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-11 20:36 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- patch has been applied and will be in 8.5 release. thanks for the report. $ ./ssh -o ConnectTimeout=$(( 0x80000000 )) localhost command-line line 0: invalid time value. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jan-24 23:44 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andres at antai-group.com --- Comment #3 from Damien Miller <djm at mindrot.org> --- *** Bug 3256 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:53 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Jan-13 02:27 UTC
[Bug 3250] Integer overflow in ConnectTimeout
https://bugzilla.mindrot.org/show_bug.cgi?id=3250 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3466|ok?(djm at mindrot.org) | Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.