From 56ce0aa3c6cf28d9fcbce3207457abeac91b5050 Mon Sep 17 00:00:00 2001 From: "tobias@openbsd.org" Date: Wed, 14 Aug 2024 15:40:30 +0000 Subject: [PATCH] upstream: Extend sshbuf validation Multiple sshbuf structs can be linked through a parent/child relationship. Make sure that a single sshbuf cannot be its own parent. If this would ever happen, it would result in reference counting issues. This is a cheap way of testing this with very little overhead. It does not detect A->B->A linkages though for performance reason and the fact that it takes a programming error for this to occur anyway. Authored with Benny Baumann (BenBE at geshi dot org). ok djm@ OpenBSD-Commit-ID: fb3fa9ee2cad3c7e842ebadfd7f5db220c4aaf16 --- sshbuf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sshbuf.c b/sshbuf.c index 690dce6fa..0ae3095db 100644 --- a/sshbuf.c +++ b/sshbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.21 2024/08/14 15:37:11 tobias Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.22 2024/08/14 15:40:30 tobias Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -57,6 +57,7 @@ sshbuf_check_sanity(const struct sshbuf *buf) SSHBUF_TELL("sanity"); if (__predict_false(buf == NULL || (!buf->readonly && buf->d != buf->cd) || + buf->parent == buf || buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX || buf->cd == NULL || buf->max_size > SSHBUF_SIZE_MAX || @@ -132,7 +133,8 @@ sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent) if ((r = sshbuf_check_sanity(child)) != 0 || (r = sshbuf_check_sanity(parent)) != 0) return r; - if (child->parent != NULL && child->parent != parent) + if ((child->parent != NULL && child->parent != parent) || + child == parent) return SSH_ERR_INTERNAL_ERROR; child->parent = parent; child->parent->refcount++; -- 2.47.3