From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Jun 2020 10:04:09 +0200 Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new() Thanks to Ramin Farajpour Cami for spotting this. Fixes T232 Signed-off-by: Andreas Schneider --- src/sftpserver.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/sftpserver.c b/src/sftpserver.c index 5a2110e5..b639a2ce 100644 --- a/src/sftpserver.c +++ b/src/sftpserver.c @@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { /* take a copy of the whole packet */ msg->complete_message = ssh_buffer_new(); + if (msg->complete_message == NULL) { + ssh_set_error_oom(session); + sftp_client_message_free(msg); + return NULL; + } + ssh_buffer_add_data(msg->complete_message, ssh_buffer_get(payload), ssh_buffer_get_len(payload)); -- GitLab From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Jun 2020 10:05:51 +0200 Subject: [PATCH 2/4] sftpserver: Add missing return check for ssh_buffer_add_data() Signed-off-by: Andreas Schneider --- src/sftpserver.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/sftpserver.c b/src/sftpserver.c index b639a2ce..9117f155 100644 --- a/src/sftpserver.c +++ b/src/sftpserver.c @@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { return NULL; } - ssh_buffer_add_data(msg->complete_message, - ssh_buffer_get(payload), - ssh_buffer_get_len(payload)); + rc = ssh_buffer_add_data(msg->complete_message, + ssh_buffer_get(payload), + ssh_buffer_get_len(payload)); + if (rc < 0) { + ssh_set_error_oom(session); + sftp_client_message_free(msg); + return NULL; + } ssh_buffer_get_u32(payload, &msg->id); -- GitLab From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Jun 2020 10:10:11 +0200 Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data() Signed-off-by: Andreas Schneider --- src/buffer.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/buffer.c b/src/buffer.c index a2e6246a..476bc135 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) */ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { - buffer_verify(buffer); + buffer_verify(buffer); - if (data == NULL) { - return -1; - } + if (data == NULL) { + return -1; + } - if (buffer->used + len < len) { - return -1; - } + if (buffer->used + len < len) { + return -1; + } - if (buffer->allocated < (buffer->used + len)) { - if(buffer->pos > 0) - buffer_shift(buffer); - if (realloc_buffer(buffer, buffer->used + len) < 0) { - return -1; + if (buffer->allocated < (buffer->used + len)) { + if (buffer->pos > 0) { + buffer_shift(buffer); + } + if (realloc_buffer(buffer, buffer->used + len) < 0) { + return -1; + } } - } - memcpy(buffer->data+buffer->used, data, len); - buffer->used+=len; - buffer_verify(buffer); - return 0; + memcpy(buffer->data + buffer->used, data, len); + buffer->used += len; + buffer_verify(buffer); + return 0; } /** -- GitLab From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Jun 2020 10:11:21 +0200 Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument Signed-off-by: Andreas Schneider --- src/buffer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/buffer.c b/src/buffer.c index 476bc135..ce12f491 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) */ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { + if (buffer == NULL) { + return -1; + } + buffer_verify(buffer); if (data == NULL) { -- GitLab