- djm@cvs.openbsd.org 2011/12/07 05:44:38

author Damien Miller <djm@mindrot.org>

Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)

committer Damien Miller <djm@mindrot.org>

Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)
author Damien Miller <djm@mindrot.org>
Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)
committer Damien Miller <djm@mindrot.org>
Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)
diff --git a/ChangeLog b/ChangeLog

index 3f0471d700501196df247c864ec045ebfab3c9c3..a0655485714e478b5d2e0c26c457cbfc41f5a66e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,10 @@
       > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
       > ok dtucker@
       it interacts badly with ControlPersist
+   - djm@cvs.openbsd.org 2011/12/07 05:44:38
+     [auth2.c dh.c packet.c roaming.h roaming_client.c roaming_common.c]
+     fix some harmless and/or unreachable int overflows;
+     reported Xi Wang, ok markus@
  
  20111125
   - OpenBSD CVS Sync
diff --git a/auth2.c b/auth2.c

index c06c95f0611428d13c63c8e55e291b5bb1143d0e..b66bef64cc4131dfaca16280454c3cc2e8542876 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.123 2011/03/10 02:52:57 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.124 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Copyright (c) 2000 Markus Friedl.  All rights reserved.
   *
@@ -113,7 +113,7 @@ auth2_read_banner(void)
                 close(fd);
                 return (NULL);
         }
-       if (st.st_size > 1*1024*1024) {
+       if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
                 close(fd);
                 return (NULL);
         }
diff --git a/dh.c b/dh.c

index b9029d867e18e42cd390314597b35fdf1179eb81..d943ca1e1bc2112e2d099fa88235e80266c78ce4 100644 (file)
--- a/dh.c
+++ b/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.48 2009/10/01 11:37:33 grunk Exp $ */
+/* $OpenBSD: dh.c,v 1.49 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Copyright (c) 2000 Niels Provos.  All rights reserved.
   *
@@ -236,6 +236,8 @@ dh_gen_key(DH *dh, int need)
  {
         int i, bits_set, tries = 0;
  
+       if (need < 0)
+               fatal("dh_gen_key: need < 0");
         if (dh->p == NULL)
                 fatal("dh_gen_key: dh->p == NULL");
         if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
diff --git a/packet.c b/packet.c

index ba93417317a20cdfd94f728541ceedaf0fc8e0fb..5e82fe7537c1587a4f900d447d0e2277ad4dd0f0 100644 (file)
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.173 2011/05/06 21:14:05 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.174 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Author: Tatu Ylonen <ylo@cs.hut.fi>
   * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -242,7 +242,7 @@ packet_set_connection(int fd_in, int fd_out)
  void
  packet_set_timeout(int timeout, int count)
  {
-       if (timeout == 0 || count == 0) {
+       if (timeout <= 0 || count <= 0) {
                 active_state->packet_timeout_ms = -1;
                 return;
         }
diff --git a/roaming.h b/roaming.h

index 6bb94cc391db810a96598f01acdc77abbd1e053c..da069f878736cd6824bf374e5adad2e8f65109c1 100644 (file)
--- a/roaming.h
+++ b/roaming.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming.h,v 1.5 2009/10/24 11:11:58 andreas Exp $ */
+/* $OpenBSD: roaming.h,v 1.6 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Copyright (c) 2004-2009 AppGate Network Security AB
   *
@@ -18,8 +18,9 @@
  #ifndef ROAMING_H
  #define ROAMING_H
  
-#define DEFAULT_ROAMBUF 65536
-#define ROAMING_REQUEST "roaming@appgate.com"
+#define DEFAULT_ROAMBUF        65536
+#define MAX_ROAMBUF    (2*1024*1024) /* XXX arbitrary */
+#define ROAMING_REQUEST        "roaming@appgate.com"
  
  extern int roaming_enabled;
  extern int resume_in_progress;
diff --git a/roaming_client.c b/roaming_client.c

index cea8e7360ad9e950b2b0dadf053b326f213e7261..48009d781d00ba49cb6a8d1fd102228c666e15cd 100644 (file)
--- a/roaming_client.c
+++ b/roaming_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming_client.c,v 1.3 2010/01/18 01:50:27 dtucker Exp $ */
+/* $OpenBSD: roaming_client.c,v 1.4 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Copyright (c) 2004-2009 AppGate Network Security AB
   *
@@ -72,7 +72,7 @@ roaming_reply(int type, u_int32_t seq, void *ctxt)
         cookie = packet_get_int64();
         key1 = oldkey1 = packet_get_int64();
         key2 = oldkey2 = packet_get_int64();
-       set_out_buffer_size(packet_get_int() +  get_snd_buf_size());
+       set_out_buffer_size(packet_get_int() + get_snd_buf_size());
         roaming_enabled = 1;
  }
  
diff --git a/roaming_common.c b/roaming_common.c

index 9adbe56fcbb941126902a66af1d51317a4314c31..8d0b6054a0baac067208783eeb59bddf5b42528b 100644 (file)
--- a/roaming_common.c
+++ b/roaming_common.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming_common.c,v 1.8 2010/01/12 00:59:29 djm Exp $ */
+/* $OpenBSD: roaming_common.c,v 1.9 2011/12/07 05:44:38 djm Exp $ */
  /*
   * Copyright (c) 2004-2009 AppGate Network Security AB
   *
@@ -75,6 +75,8 @@ get_recv_buf_size()
  void
  set_out_buffer_size(size_t size)
  {
+       if (size == 0 || size > MAX_ROAMBUF)
+               fatal("%s: bad buffer size %lu", __func__, (u_long)size);
         /*
          * The buffer size can only be set once and the buffer will live
          * as long as the session lives.
author	Damien Miller <djm@mindrot.org>
	Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)
committer	Damien Miller <djm@mindrot.org>
	Sun, 18 Dec 2011 23:52:50 +0000 (10:52 +1100)
ChangeLog		patch \| blob \| blame \| history
auth2.c		patch \| blob \| blame \| history
dh.c		patch \| blob \| blame \| history
packet.c		patch \| blob \| blame \| history
roaming.h		patch \| blob \| blame \| history
roaming_client.c		patch \| blob \| blame \| history
roaming_common.c		patch \| blob \| blame \| history