]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8dfe7ed)
upstream: Fix two separate one-byte out-of-cound reads
authordjm@openbsd.org <djm@openbsd.org>
Sun, 31 May 2026 04:51:45 +0000 (04:51 +0000)
committerDamien Miller <djm@mindrot.org>
Sun, 31 May 2026 05:03:57 +0000 (15:03 +1000)
1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
2) if a batch command used the full 2048 byte buffer but ended in a
  literal backslash character

Both reported by Zhenpeng (Leo) Lin from depthfirst

ok markus@

OpenBSD-Commit-ID: d1ccc1f5a6eb109065ce8a552fea8e502381ce59

sftp.c patch | blob | blame | history

diff --git a/sftp.c b/sftp.c
index eebb166e8de42d3673fe970fdcb40b427033671f..0ab9206c2772e402fad03fdc7c3fb759078940b6 100644 (file)
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.250 2026/02/11 17:01:34 dtucker Exp $ */
+/* $OpenBSD: sftp.c,v 1.251 2026/05/31 04:51:45 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -369,10 +369,9 @@ path_strip(const char *path, const char *strip)
 {
        size_t len;
 
-       if (strip == NULL)
+       if (strip == NULL || (len = strlen(strip)) == 0)
                return (xstrdup(path));
 
-       len = strlen(strip);
        if (strncmp(path, strip, len) == 0) {
                if (strip[len - 1] != '/' && path[len] == '/')
                        len++;
@@ -1283,6 +1282,8 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
                                        /* Unescape everything */
                                        /* XXX support \n and friends? */
                                        i++;
+                                       if (arg[i] == '\0')
+                                               goto early_nul;
                                        argvs[j++] = arg[i];
                                }
                        }
@@ -1293,6 +1294,7 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
                                goto string_done;
                } else if (arg[i] == '\0') {
                        if (state == MA_SQUOTE || state == MA_DQUOTE) {
+ early_nul:
                                if (sloppy) {
                                        state = MA_UNQUOTED;
                                        if (terminated != NULL)
Mirror of https://github.com/openssh/openssh-portable.git