LILiK
/
openwrt-packages-dist

From 11b88754cadcad0ba79b4ffcc127223248dccb54 Mon Sep 17 00:00:00 2001From: "dtucker@openbsd.org" <dtucker@openbsd.org>Date: Wed, 23 Jan 2019 08:01:46 +0000Subject: upstream: Sanitize scp filenames via snmprintf. To do this we move
the progressmeter formatting outside of signal handler context and have theatomicio callback called for EINTR too.  bz#2434 with contributions from djmand jjelen at redhat.com, ok djm@
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
CVE-2019-6109
Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54cBug-Debian: https://bugs.debian.org/793412Last-Update: 2019-02-08
Patch-Name: sanitize-scp-filenames-via-snmprintf.patch---
 atomicio.c      | 20 ++++++++++++++----- progressmeter.c | 53 ++++++++++++++++++++++--------------------------- progressmeter.h |  3 ++- scp.c           |  1 + sftp-client.c   | 16 ++++++++------- 5 files changed, 51 insertions(+), 42 deletions(-)
diff --git a/atomicio.c b/atomicio.c
index f854a06f5..d91bd7621 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
 		res = (f) (fd, s + pos, n - pos); 		switch (res) { 		case -1:-			if (errno == EINTR)
+			if (errno == EINTR) {
+				/* possible SIGALARM, update callback */
+				if (cb != NULL && cb(cb_arg, 0) == -1) {
+					errno = EINTR;
+					return pos;
+				}
 				continue;-			if (errno == EAGAIN || errno == EWOULDBLOCK) {
+			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READ_COMPARISON 				(void)poll(&pfd, 1, -1); #endif@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
 		res = (f) (fd, iov, iovcnt); 		switch (res) { 		case -1:-			if (errno == EINTR)
+			if (errno == EINTR) {
+				/* possible SIGALARM, update callback */
+				if (cb != NULL && cb(cb_arg, 0) == -1) {
+					errno = EINTR;
+					return pos;
+				}
 				continue;-			if (errno == EAGAIN || errno == EWOULDBLOCK) {
+			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READV_COMPARISON 				(void)poll(&pfd, 1, -1); #endifdiff --git a/progressmeter.c b/progressmeter.c
index fe9bf52e4..add462dde 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -31,6 +31,7 @@
  #include <errno.h> #include <signal.h>+#include <stdarg.h>
 #include <stdio.h> #include <string.h> #include <time.h>@@ -39,6 +40,7 @@
 #include "progressmeter.h" #include "atomicio.h" #include "misc.h"+#include "utf8.h"
  #define DEFAULT_WINSIZE 80 #define MAX_WINSIZE 512@@ -61,7 +63,7 @@ static void setscreensize(void);
 void refresh_progress_meter(void);  /* signal handler for updating the progress meter */-static void update_progress_meter(int);
+static void sig_alarm(int);
  static double start;		/* start progress */ static double last_update;	/* last progress update */@@ -74,6 +76,7 @@ static long stalled;		/* how long we have been stalled */
 static int bytes_per_second;	/* current speed in bytes per second */ static int win_size;		/* terminal window size */ static volatile sig_atomic_t win_resized; /* for window resizing */+static volatile sig_atomic_t alarm_fired;
  /* units for format_size */ static const char unit[] = " KMGT";@@ -126,9 +129,17 @@ refresh_progress_meter(void)
 	off_t bytes_left; 	int cur_speed; 	int hours, minutes, seconds;-	int i, len;
 	int file_len; +	if ((!alarm_fired && !win_resized) || !can_output())
+		return;
+	alarm_fired = 0;
+
+	if (win_resized) {
+		setscreensize();
+		win_resized = 0;
+	}
+
 	transferred = *counter - (cur_pos ? cur_pos : start_pos); 	cur_pos = *counter; 	now = monotime_double();@@ -158,16 +169,11 @@ refresh_progress_meter(void)
  	/* filename */ 	buf[0] = '\0';-	file_len = win_size - 35;
+	file_len = win_size - 36;
 	if (file_len > 0) {-		len = snprintf(buf, file_len + 1, "\r%s", file);
-		if (len < 0)
-			len = 0;
-		if (len >= file_len + 1)
-			len = file_len;
-		for (i = len; i < file_len; i++)
-			buf[i] = ' ';
-		buf[file_len] = '\0';
+		buf[0] = '\r';
+		snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
+		    file_len * -1, file);
 	}  	/* percent of transfer done */@@ -228,22 +234,11 @@ refresh_progress_meter(void)
  /*ARGSUSED*/ static void-update_progress_meter(int ignore)
+sig_alarm(int ignore)
 {-	int save_errno;
-
-	save_errno = errno;
-
-	if (win_resized) {
-		setscreensize();
-		win_resized = 0;
-	}
-	if (can_output())
-		refresh_progress_meter();
-
-	signal(SIGALRM, update_progress_meter);
+	signal(SIGALRM, sig_alarm);
+	alarm_fired = 1;
 	alarm(UPDATE_INTERVAL);-	errno = save_errno;
 }  void@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
 	bytes_per_second = 0;  	setscreensize();-	if (can_output())
-		refresh_progress_meter();
+	refresh_progress_meter();
 -	signal(SIGALRM, update_progress_meter);
+	signal(SIGALRM, sig_alarm);
 	signal(SIGWINCH, sig_winch); 	alarm(UPDATE_INTERVAL); }@@ -286,6 +280,7 @@ stop_progress_meter(void)
 static void sig_winch(int sig) {+	signal(SIGWINCH, sig_winch);
 	win_resized = 1; } diff --git a/progressmeter.h b/progressmeter.h
index bf179dca6..8f6678060 100644
--- a/progressmeter.h
+++ b/progressmeter.h
@@ -24,4 +24,5 @@
  */  void	start_progress_meter(const char *, off_t, off_t *);+void	refresh_progress_meter(void);
 void	stop_progress_meter(void);diff --git a/scp.c b/scp.c
index 7163d33dc..80308573c 100644
--- a/scp.c
+++ b/scp.c
@@ -593,6 +593,7 @@ scpio(void *_cnt, size_t s)
 	off_t *cnt = (off_t *)_cnt;  	*cnt += s;+	refresh_progress_meter();
 	if (limit_kbps > 0) 		bandwidth_limit(&bwlimit, s); 	return 0;diff --git a/sftp-client.c b/sftp-client.c
index 4986d6d8d..2bc698f86 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
 { 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; -	bandwidth_limit(bwlimit, amount);
+	refresh_progress_meter();
+	if (bwlimit != NULL)
+		bandwidth_limit(bwlimit, amount);
 	return 0; } @@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
 	iov[1].iov_base = (u_char *)sshbuf_ptr(m); 	iov[1].iov_len = sshbuf_len(m); -	if (atomiciov6(writev, conn->fd_out, iov, 2,
-	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
+	if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
+	    conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
 	    sshbuf_len(m) + sizeof(mlen)) 		fatal("Couldn't send packet: %s", strerror(errno)); @@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
  	if ((r = sshbuf_reserve(m, 4, &p)) != 0) 		fatal("%s: buffer error: %s", __func__, ssh_err(r));-	if (atomicio6(read, conn->fd_in, p, 4,
-	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
+	if (atomicio6(read, conn->fd_in, p, 4, sftpio,
+	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
 		if (errno == EPIPE || errno == ECONNRESET) 			fatal("Connection closed"); 		else@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
  	if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) 		fatal("%s: buffer error: %s", __func__, ssh_err(r));-	if (atomicio6(read, conn->fd_in, p, msg_len,
-	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
+	if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
+	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
 	    != msg_len) { 		if (errno == EPIPE) 			fatal("Connection closed");