search for: run_err

...!= '\0') + usage(); + break; + case 'Z': + fd_inset = strtod(optarg, &endp); + if (fd_inset < 0 || *endp != '\0') + usage(); + break; default: usage(); } @@ -680,6 +694,16 @@ syserr: run_err("%s: %s", name, strerr run_err("%s: %s", name, "Negative file size"); goto next; } + if (fd_offset > stb.st_size) { + run_err("Offset greater than file size"); + goto next; + } + if (fd_inset > stb.st_size) { + run_err("Inset...

..., O_RDONLY, 0)) < 0) - goto syserr; - if (fstat(fd, &stb) < 0) { + if (linkflag) { + fd = -1; + result = lstat(name, &stb); + } + else { + if ((fd = open(name, O_RDONLY, 0)) < 0) + goto syserr; + result = fstat(fd, &stb); + } + if (result < 0) { syserr: run_err("%s: %s", name, strerror(errno)); goto next; } switch (stb.st_mode & S_IFMT) { + case S_IFLNK: + /* readlink later */ + break; case S_IFREG: + if (fd < 0 && (fd = open(name, O_RDONLY, 0)) < 0) + goto syserr; break; case S_IFDIR: @@ -586,6 +6...

...(src) + CMDNEEDS + 20; + len = strlen(src) + cmdlen + 20; bp = xmalloc(len); (void) snprintf(bp, len, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { @@ -582,7 +602,10 @@ (void) atomicio(write, remout, "", 1); else run_err("%s: %s", name, strerror(haderr)); - (void) response(); + if (response() == 0 && eraseflag && !haderr) { + if (unlink(name) < 0) + run_err("%s: %s", name, strerror(errno)); + } } } @@ -656,7 +679,7 @@ int amt, count, exists, first, mask, mode, of...

If the source and destination file are identical, the receiving scp truncates the file. On the sending end, read() returns 0, and garbage is sent instead of actual data, and the receiving end puts it into the file, which at least confuses the users. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/

...se '6': case 'C': @@ -505,6 +507,12 @@ name[--len] = '\0'; if ((fd = open(name, O_RDONLY, 0)) < 0) goto syserr; + /*Check for filename containing a newline*/ + if ((last = strchr(name, '\n')) != NULL) { + run_err("%s: filename contains a newline, ignoring it", + name); + goto next; + } if (fstat(fd, &stb) < 0) { syserr: run_err("%s: %s", name, strerror(errno)); goto next; -- "At least you know where...

...but the RSA private key is in the IC card. I did not change any source code of scp. I mean scp.c. I set all authentication methods to "no" in sshd_config but ICCAuthentication yes. ssh works very well with this authentication method. But scp is not good with it. scp always run_err() in the following context in scp.c: void sink(argc, argv) { .... ..... if(first){ run_err("%s",cp); exit(1); } ...... ...... } That means that "first" is always true. What does &quo...

...s also present on other OS's, but at the moment, I have confirmed it only on HP systems. Running tusc on an "scp -t" process shows that ftruncate is being called no matter what. In sink() in file scp.c, we can see: if (ftruncate(ofd, size)) { run_err("%s: truncate: %s", np, strerror(errno)); wrerr = DISPLAYED; } This code fragment should be enclosed in this if condition: if(wrerr == NO){ if (ftruncate(ofd, size)) { run_err("%s: trunca...

...if (targisdir) { >- static char *namebuf = NULL; >- static size_t cursize; >- size_t need; >- >- need = strlen(targ) + strlen(cp) + 250; >- if (need > cursize) { >- if (namebuf != NULL) >- free(namebuf); >- if (!(namebuf = malloc(need))) >- run_err("%s", strerror(errno)); >- cursize = need; >+ if (strlen(targ) + (*targ ? 1 : 0) + strlen(cp) >+ >= sizeof(path)) { >+ run_err("%s%s%s: name too long", targ, >+ *targ ? "/" : "", cp); >+ exit(1); > } >- (voi...

...least *authoritatively* incorrect. -- Hitchiker's Guide To The Galaxy -------------- next part -------------- --- scp.c.orig Thu Feb 8 21:20:50 2001 +++ scp.c Thu Feb 8 21:21:21 2001 @@ -207,7 +207,6 @@ char *colon(char *); void lostconn(int); void nospace(void); -int okname(char *); void run_err(const char *,...); void verifydir(char *); @@ -371,8 +370,6 @@ tuser = argv[argc - 1]; if (*tuser == '\0') tuser = NULL; - else if (!okname(tuser)) - exit(1); } else { thost = argv[argc - 1]; tuser = NULL; @@ -395,8 +392,6 @@ suser = argv[i]; if (*suser ==...

..." -u" : "", targetshouldbedirectory ? " -d" : ""); (void) signal(SIGPIPE, lostconn); *************** *** 651,659 **** haderr = errno; fd = -1; } ! if (!haderr) (void) atomicio(vwrite, remout, "", 1); ! else run_err("%s: %s", name, strerror(haderr)); (void) response(); } --- 658,672 ---- haderr = errno; fd = -1; } ! if (!haderr) { ! if (delete_source) { ! if (verbose_mode) { ! fprintf(stderr, "Deleting source: %s\n", name); ! } ! unlink(name); !...

...:00:35 -0000 @@ -364,6 +364,7 @@ void tolocal(int, char *[]); void toremote(char *, int, char *[]); void usage(void); +void verifypath(char *); int main(int argc, char **argv) @@ -551,6 +552,18 @@ } void +verifypath(char *file) +{ + if (access(file, F_OK) == -1) + { + errno = ENOENT; + run_err("%s: %s",file,strerror(errno)); + killchild(0); + } +} + + +void toremote(char *targ, int argc, char **argv) { char *bp, *host, *src, *suser, *thost, *tuser, *arg; @@ -656,6 +669,7 @@ if (remin == -1) { xasprintf(&bp, "%s -t %s%s", cmd, *targ == '-...

...p.c 2001/02/18 03:55:16 1.56 +++ scp.c 2001/02/19 09:31:27 @@ -802,16 +802,16 @@ sink(argc, argv) } vect[0] = xstrdup(np); sink(1, vect); - if (vect[0]) - xfree(vect[0]); if (setimes) { setimes = 0; - if (utimes(np, tv) < 0) + if (utimes(vect[0], tv) < 0) run_err("%s: set times: %s", - np, strerror(errno)); + vect[0], strerror(errno)); } if (mod_flag) - (void) chmod(np, mode); + (void) chmod(vect[0], mode); + if (vect[0]) + xfree(vect[0]); continue; } omode = mode; Corinna -- Corinna Vinschen Cygwin Develo...

...= read(remin, cp, amt); if (j == -1 && (errno == EINTR || errno == EAGAIN)) { continue; } else if (j <= 0) { run_err("%s", j ? strerror(errno) : "dropped connection"); exit(1); } amt -= j; cp += j;...

...write operations */ + int readonly = 0; + /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = _PATH_SSH_PROGRAM; *************** *** 307,312 **** --- 310,319 ---- exit(errs != 0); } if (tflag) { + if (readonly) { + run_err("permission denied"); + exit(1); + } /* Receive data. */ sink(argc, argv); exit(errs != 0); *** sftp-server.c@@\main\1 Tue Oct 1 17:27:26 2002 --- sftp-server.c Tue Nov 5 10:07:54 2002 *************** *** 52,57 **** --- 52,60 ---- /* Version of client */...

Hey, So, I would be looking at type A. Forgive me if my understanding of how OpenSSH operates is not reflective of reality. I am assuming that, the file transfer is happening somewhat logically, with a name being known, content written, blah blah. >From reading scp.c, it appears that, the client end at least knows the file name so I must assume the server end must be given it. I am hoping to

http://bugzilla.mindrot.org/show_bug.cgi?id=863 ------- Additional Comments From dtucker at zip.com.au 2004-06-25 18:49 ------- I can't reproduce it here on Linux (with bash). Maybe the problem is related to shell expansion? What shell are you using at both ends? Try echoing the command locally and via ssh and see what it expands to: echo scp -p hosta:/tmp/[a-z]** . ssh hosta

...if (*cp < '0' || *cp > '7') @@ -812,11 +920,31 @@ } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { + i = statbytes = 0; + if (resume != 1) { + if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); - continue; + continue; + } + /* Send response */ + (void) atomicio(write, remout, "", 1); + } else { + if ((ofd = open(np, O_WRONLY | O_APPEND | O_CREAT, mode)) < 0) { + run_err("%s: %s", np, strerror...

...gid directory do not inherit the sgid bit. I believe this is a bug. A patch to fix this is attached. Regards, Petr Skovron -------------- next part -------------- --- scp.c.orig 2005-10-11 16:50:17.000000000 +0200 +++ scp.c 2005-10-11 16:57:25.000000000 +0200 @@ -876,8 +876,12 @@ run_err("%s: set times: %s", vect[0], strerror(errno)); } - if (mod_flag) + if (mod_flag) { + if (stat(vect[0], &stb)==0) + mode= (mode & S_IRWXU) | + (stb.st_mode & ~S_IRWXU); (void) chmod(vect[0], mode); + } if (vect[0]) xfree(vect[0]...

Hello, I would like to request an update of the progress regarding fixes for the recently disclosed SCP vulnerability (CVE-2018-20685, CVE-2019-6111, CVE-2019-6109, CVE-2019-6110) It has been stated that CVE-2018-20685 has been patched in november but there are currently no information available on the progress of patches regarding the other CVEs. Will there be a patched release any time soon?