LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14264 Commits
1 Branch
46 MiB
Tree: fd54ecea2e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fd54ecea2e'
${ noResults }
openwrt-packages-dist/net/openssh/patches/0006-scp-handle-braces.patch

353 lines
8.5 KiB
Raw Normal View History

openssh: add upstream patches, including CVE-2019-6111 Signed-off-by: Peter Wagner <tripolar@gmx.at>
6 years ago
 
  1. From 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab Mon Sep 17 00:00:00 2001
  2. From: "djm@openbsd.org" <djm@openbsd.org>
  3. Date: Sun, 10 Feb 2019 11:15:52 +0000
  4. Subject: upstream: when checking that filenames sent by the server side
  5. 

  6. match what the client requested, be prepared to handle shell-style brace
  7. alternations, e.g. "{foo,bar}".
  8. 

  9. "looks good to me" millert@ + in snaps for the last week courtesy
  10. deraadt@
  11. 

  12. OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
  13. 

  14. Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
  15. Bug-Debian: https://bugs.debian.org/923486
  16. Last-Update: 2019-03-01
  17. 

  18. Patch-Name: scp-handle-braces.patch
  19. ---

  20.  scp.c | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
  21.  1 file changed, 269 insertions(+), 11 deletions(-)
  22. 

  23. diff --git a/scp.c b/scp.c

  24. index 035037bcc..3888baab0 100644

  25. --- a/scp.c

  26. +++ b/scp.c

  27. @@ -635,6 +635,253 @@ parse_scp_uri(const char *uri, char **userp, char **hostp, int *portp,

  28.  	return r;
  29.  }
  30.  
  31. +/* Appends a string to an array; returns 0 on success, -1 on alloc failure */

  32. +static int

  33. +append(char *cp, char ***ap, size_t *np)

  34. +{

  35. +	char **tmp;

  36. +

  37. +	if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)

  38. +		return -1;

  39. +	tmp[(*np)] = cp;

  40. +	(*np)++;

  41. +	*ap = tmp;

  42. +	return 0;

  43. +}

  44. +

  45. +/*

  46. + * Finds the start and end of the first brace pair in the pattern.

  47. + * returns 0 on success or -1 for invalid patterns.

  48. + */

  49. +static int

  50. +find_brace(const char *pattern, int *startp, int *endp)

  51. +{

  52. +	int i;

  53. +	int in_bracket, brace_level;

  54. +

  55. +	*startp = *endp = -1;

  56. +	in_bracket = brace_level = 0;

  57. +	for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {

  58. +		switch (pattern[i]) {

  59. +		case '\\':

  60. +			/* skip next character */

  61. +			if (pattern[i + 1] != '\0')

  62. +				i++;

  63. +			break;

  64. +		case '[':

  65. +			in_bracket = 1;

  66. +			break;

  67. +		case ']':

  68. +			in_bracket = 0;

  69. +			break;

  70. +		case '{':

  71. +			if (in_bracket)

  72. +				break;

  73. +			if (pattern[i + 1] == '}') {

  74. +				/* Protect a single {}, for find(1), like csh */

  75. +				i++; /* skip */

  76. +				break;

  77. +			}

  78. +			if (*startp == -1)

  79. +				*startp = i;

  80. +			brace_level++;

  81. +			break;

  82. +		case '}':

  83. +			if (in_bracket)

  84. +				break;

  85. +			if (*startp < 0) {

  86. +				/* Unbalanced brace */

  87. +				return -1;

  88. +			}

  89. +			if (--brace_level <= 0)

  90. +				*endp = i;

  91. +			break;

  92. +		}

  93. +	}

  94. +	/* unbalanced brackets/braces */

  95. +	if (*endp < 0 && (*startp >= 0 || in_bracket))

  96. +		return -1;

  97. +	return 0;

  98. +}

  99. +

  100. +/*

  101. + * Assembles and records a successfully-expanded pattern, returns -1 on

  102. + * alloc failure.

  103. + */

  104. +static int

  105. +emit_expansion(const char *pattern, int brace_start, int brace_end,

  106. +    int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)

  107. +{

  108. +	char *cp;

  109. +	int o = 0, tail_len = strlen(pattern + brace_end + 1);

  110. +

  111. +	if ((cp = malloc(brace_start + (sel_end - sel_start) +

  112. +	    tail_len + 1)) == NULL)

  113. +		return -1;

  114. +

  115. +	/* Pattern before initial brace */

  116. +	if (brace_start > 0) {

  117. +		memcpy(cp, pattern, brace_start);

  118. +		o = brace_start;

  119. +	}

  120. +	/* Current braced selection */

  121. +	if (sel_end - sel_start > 0) {

  122. +		memcpy(cp + o, pattern + sel_start,

  123. +		    sel_end - sel_start);

  124. +		o += sel_end - sel_start;

  125. +	}

  126. +	/* Remainder of pattern after closing brace */

  127. +	if (tail_len > 0) {

  128. +		memcpy(cp + o, pattern + brace_end + 1, tail_len);

  129. +		o += tail_len;

  130. +	}

  131. +	cp[o] = '\0';

  132. +	if (append(cp, patternsp, npatternsp) != 0) {

  133. +		free(cp);

  134. +		return -1;

  135. +	}

  136. +	return 0;

  137. +}

  138. +

  139. +/*

  140. + * Expand the first encountered brace in pattern, appending the expanded

  141. + * patterns it yielded to the *patternsp array.

  142. + *

  143. + * Returns 0 on success or -1 on allocation failure.

  144. + *

  145. + * Signals whether expansion was performed via *expanded and whether

  146. + * pattern was invalid via *invalid.

  147. + */

  148. +static int

  149. +brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,

  150. +    int *expanded, int *invalid)

  151. +{

  152. +	int i;

  153. +	int in_bracket, brace_start, brace_end, brace_level;

  154. +	int sel_start, sel_end;

  155. +

  156. +	*invalid = *expanded = 0;

  157. +

  158. +	if (find_brace(pattern, &brace_start, &brace_end) != 0) {

  159. +		*invalid = 1;

  160. +		return 0;

  161. +	} else if (brace_start == -1)

  162. +		return 0;

  163. +

  164. +	in_bracket = brace_level = 0;

  165. +	for (i = sel_start = brace_start + 1; i < brace_end; i++) {

  166. +		switch (pattern[i]) {

  167. +		case '{':

  168. +			if (in_bracket)

  169. +				break;

  170. +			brace_level++;

  171. +			break;

  172. +		case '}':

  173. +			if (in_bracket)

  174. +				break;

  175. +			brace_level--;

  176. +			break;

  177. +		case '[':

  178. +			in_bracket = 1;

  179. +			break;

  180. +		case ']':

  181. +			in_bracket = 0;

  182. +			break;

  183. +		case '\\':

  184. +			if (i < brace_end - 1)

  185. +				i++; /* skip */

  186. +			break;

  187. +		}

  188. +		if (pattern[i] == ',' || i == brace_end - 1) {

  189. +			if (in_bracket || brace_level > 0)

  190. +				continue;

  191. +			/* End of a selection, emit an expanded pattern */

  192. +

  193. +			/* Adjust end index for last selection */

  194. +			sel_end = (i == brace_end - 1) ? brace_end : i;

  195. +			if (emit_expansion(pattern, brace_start, brace_end,

  196. +			    sel_start, sel_end, patternsp, npatternsp) != 0)

  197. +				return -1;

  198. +			/* move on to the next selection */

  199. +			sel_start = i + 1;

  200. +			continue;

  201. +		}

  202. +	}

  203. +	if (in_bracket || brace_level > 0) {

  204. +		*invalid = 1;

  205. +		return 0;

  206. +	}

  207. +	/* success */

  208. +	*expanded = 1;

  209. +	return 0;

  210. +}

  211. +

  212. +/* Expand braces from pattern. Returns 0 on success, -1 on failure */

  213. +static int

  214. +brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)

  215. +{

  216. +	char *cp, *cp2, **active = NULL, **done = NULL;

  217. +	size_t i, nactive = 0, ndone = 0;

  218. +	int ret = -1, invalid = 0, expanded = 0;

  219. +

  220. +	*patternsp = NULL;

  221. +	*npatternsp = 0;

  222. +

  223. +	/* Start the worklist with the original pattern */

  224. +	if ((cp = strdup(pattern)) == NULL)

  225. +		return -1;

  226. +	if (append(cp, &active, &nactive) != 0) {

  227. +		free(cp);

  228. +		return -1;

  229. +	}

  230. +	while (nactive > 0) {

  231. +		cp = active[nactive - 1];

  232. +		nactive--;

  233. +		if (brace_expand_one(cp, &active, &nactive,

  234. +		    &expanded, &invalid) == -1) {

  235. +			free(cp);

  236. +			goto fail;

  237. +		}

  238. +		if (invalid)

  239. +			fatal("%s: invalid brace pattern \"%s\"", __func__, cp);

  240. +		if (expanded) {

  241. +			/*

  242. +			 * Current entry expanded to new entries on the

  243. +			 * active list; discard the progenitor pattern.

  244. +			 */

  245. +			free(cp);

  246. +			continue;

  247. +		}

  248. +		/*

  249. +		 * Pattern did not expand; append the finename component to

  250. +		 * the completed list

  251. +		 */

  252. +		if ((cp2 = strrchr(cp, '/')) != NULL)

  253. +			*cp2++ = '\0';

  254. +		else

  255. +			cp2 = cp;

  256. +		if (append(xstrdup(cp2), &done, &ndone) != 0) {

  257. +			free(cp);

  258. +			goto fail;

  259. +		}

  260. +		free(cp);

  261. +	}

  262. +	/* success */

  263. +	*patternsp = done;

  264. +	*npatternsp = ndone;

  265. +	done = NULL;

  266. +	ndone = 0;

  267. +	ret = 0;

  268. + fail:

  269. +	for (i = 0; i < nactive; i++)

  270. +		free(active[i]);

  271. +	free(active);

  272. +	for (i = 0; i < ndone; i++)

  273. +		free(done[i]);

  274. +	free(done);

  275. +	return ret;

  276. +}

  277. +

  278.  void
  279.  toremote(int argc, char **argv)
  280.  {
  281. @@ -998,7 +1245,8 @@ sink(int argc, char **argv, const char *src)

  282.  	unsigned long long ull;
  283.  	int setimes, targisdir, wrerrno = 0;
  284.  	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
  285. -	char *src_copy = NULL, *restrict_pattern = NULL;

  286. +	char **patterns = NULL;

  287. +	size_t n, npatterns = 0;

  288.  	struct timeval tv[2];
  289.  
  290.  #define	atime	tv[0]
  291. @@ -1028,16 +1276,13 @@ sink(int argc, char **argv, const char *src)

  292.  		 * Prepare to try to restrict incoming filenames to match
  293.  		 * the requested destination file glob.
  294.  		 */
  295. -		if ((src_copy = strdup(src)) == NULL)

  296. -			fatal("strdup failed");

  297. -		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {

  298. -			*restrict_pattern++ = '\0';

  299. -		}

  300. +		if (brace_expand(src, &patterns, &npatterns) != 0)

  301. +			fatal("%s: could not expand pattern", __func__);

  302.  	}
  303.  	for (first = 1;; first = 0) {
  304.  		cp = buf;
  305.  		if (atomicio(read, remin, cp, 1) != 1)
  306. -			return;

  307. +			goto done;

  308.  		if (*cp++ == '\n')
  309.  			SCREWUP("unexpected <newline>");
  310.  		do {
  311. @@ -1063,7 +1308,7 @@ sink(int argc, char **argv, const char *src)

  312.  		}
  313.  		if (buf[0] == 'E') {
  314.  			(void) atomicio(vwrite, remout, "", 1);
  315. -			return;

  316. +			goto done;

  317.  		}
  318.  		if (ch == '\n')
  319.  			*--cp = 0;
  320. @@ -1138,9 +1383,14 @@ sink(int argc, char **argv, const char *src)

  321.  			run_err("error: unexpected filename: %s", cp);
  322.  			exit(1);
  323.  		}
  324. -		if (restrict_pattern != NULL &&

  325. -		    fnmatch(restrict_pattern, cp, 0) != 0)

  326. -			SCREWUP("filename does not match request");

  327. +		if (npatterns > 0) {

  328. +			for (n = 0; n < npatterns; n++) {

  329. +				if (fnmatch(patterns[n], cp, 0) == 0)

  330. +					break;

  331. +			}

  332. +			if (n >= npatterns)

  333. +				SCREWUP("filename does not match request");

  334. +		}

  335.  		if (targisdir) {
  336.  			static char *namebuf;
  337.  			static size_t cursize;
  338. @@ -1299,7 +1549,15 @@ bad:			run_err("%s: %s", np, strerror(errno));

  339.  			break;
  340.  		}
  341.  	}
  342. +done:

  343. +	for (n = 0; n < npatterns; n++)

  344. +		free(patterns[n]);

  345. +	free(patterns);

  346. +	return;

  347.  screwup:
  348. +	for (n = 0; n < npatterns; n++)

  349. +		free(patterns[n]);

  350. +	free(patterns);

  351.  	run_err("protocol error: %s", why);
  352.  	exit(1);
  353.  }