[Ttssh2-commit] [7018] サーバからの SSH_MSG_KEXINIT で、name-list が長すぎる時に落ちるのを修正

scmno****@osdn***** scmno****@osdn*****
2018年 1月 11日 (木) 22:19:57 JST


Revision: 7018
          http://sourceforge.jp/projects/ttssh2/scm/svn/commits/7018
Author:   doda
Date:     2018-01-11 22:19:57 +0900 (Thu, 11 Jan 2018)
Log Message:
-----------
サーバからの SSH_MSG_KEXINIT で、name-list が長すぎる時に落ちるのを修正

name-list を格納する為のバッファのサイズが 1024 バイトで、name-list が
それより長かった場合に BoF を起こしていた。
OpenSSH が対応している暗号方式をすべて有効にしても 1024 バイトには
行かないので通常は問題とならないが、悪意のあるサーバに接続した時に
問題となる可能性がある。

OpenSSH でも以下のように設定すれば再現が可能。

Ciphers chach****@opens*****,chach****@opens*****,chacha20…略…ssh.com,aes256-ctr

Modified Paths:
--------------
    trunk/doc/en/html/about/history.html
    trunk/doc/ja/html/about/history.html
    trunk/ttssh2/ttxssh/ssh.c

-------------- next part --------------
Modified: trunk/doc/en/html/about/history.html
===================================================================
--- trunk/doc/en/html/about/history.html	2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/doc/en/html/about/history.html	2018-01-11 13:19:57 UTC (rev 7018)
@@ -2976,6 +2976,7 @@
       <!--li>\x83V\x83\x8A\x83A\x83\x8B\x83|\x81[\x83g\x90ڑ\xB1\x8E\x9E\x82\xC9 <a href="../menu/file.html">[File]</a> \x83\x81\x83j\x83\x85\x81[\x82\xCC [SSH SCP] \x82\xAA\x96\xB3\x8C\xF8\x82ɂȂ\xE7\x82Ȃ\xA2\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li-->
       <li>When using aes12****@opens***** or aes25****@opens***** as symmetric cipher algorithm, connection is terminated if MAC algorithm cannot negotiate.</li>
       <li>When using aes12****@opens***** or aes25****@opens***** as symmetric cipher algorithm, un-used MAC algorithm is displayed on "About TTSSH" dialog.</li>
+      <li>Application fault is occurred if server proposes a very long string in the algorithm negotiation.</li>
     </ul>
   </li>
 </ul>

Modified: trunk/doc/ja/html/about/history.html
===================================================================
--- trunk/doc/ja/html/about/history.html	2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/doc/ja/html/about/history.html	2018-01-11 13:19:57 UTC (rev 7018)
@@ -2982,6 +2982,7 @@
       <li>\x83V\x83\x8A\x83A\x83\x8B\x83|\x81[\x83g\x90ڑ\xB1\x8E\x9E\x82\xC9 <a href="../menu/file.html">[File]</a> \x83\x81\x83j\x83\x85\x81[\x82\xCC [SSH SCP] \x82\xAA\x96\xB3\x8C\xF8\x82ɂȂ\xE7\x82Ȃ\xA2\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
       <li>\x88Í\x86\x95\xFB\x8E\xAE\x82\xC5 aes12****@opens***** \x82܂\xBD\x82\xCD aes25****@opens***** \x82\xF0\x8Eg\x97p\x8E\x9E\x81AMAC \x95\xFB\x8E\xAE\x82̃l\x83S\x83V\x83G\x81[\x83V\x83\x87\x83\x93\x82\xAA\x8Ds\x82\xA6\x82Ȃ\xA9\x82\xC1\x82\xBD\x8E\x9E\x82ɐڑ\xB1\x82\xF0\x90؂\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
       <li>\x88Í\x86\x95\xFB\x8E\xAE\x82\xC5 aes12****@opens***** \x82܂\xBD\x82\xCD aes25****@opens***** \x82\xF0\x8Eg\x97p\x8E\x9E\x81A"About TTSSH" \x83_\x83C\x83A\x83\x8D\x83O\x82Ŏg\x97p\x82\xB5\x82Ă\xA2\x82Ȃ\xA2 MAC \x95\xFB\x8E\xAE\x82\xF0\x95\\x8E\xA6\x82\xB7\x82\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
+      <li>\x88Í\x86\x95\x{33AE4D9}\x82̃l\x83S\x83V\x83G\x81[\x83V\x83\x87\x83\x93\x8E\x9E\x81A\x83T\x81[\x83o\x82̒\xF1\x88Ă\xAA\x92\xB7\x82\xB7\x82\xAC\x82鎞\x82ɗ\x8E\x82\xBF\x82\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
     </ul>
   </li>
 </ul>

Modified: trunk/ttssh2/ttxssh/ssh.c
===================================================================
--- trunk/ttssh2/ttxssh/ssh.c	2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/ttssh2/ttxssh/ssh.c	2018-01-11 13:19:57 UTC (rev 7018)
@@ -4827,7 +4827,7 @@
 {
 	char buf[1024];
 	char *data;
-	int len, i, size;
+	int len, size;
 	int offset = 0;
 	char *msg = NULL;
 	char tmp[1024+512];
@@ -4883,10 +4883,11 @@
 	// \x83L\x81[\x8C\xF0\x8A\xB7\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed kex algorithms is too long.");
 	}
-	buf[i] = '\0'; // null-terminate
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: KEX algorithm: %s", buf);
@@ -4903,10 +4904,11 @@
 	// \x83z\x83X\x83g\x83L\x81[\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed hostkey algorithms is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: server host key algorithm: %s", buf);
@@ -4931,10 +4933,11 @@
 	// \x83N\x83\x89\x83C\x83A\x83\x93\x83g -> \x83T\x81[\x83o\x88Í\x86\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed encryption algorithms (client to server) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: encryption algorithm client to server: %s", buf);
@@ -4951,10 +4954,11 @@
 	// \x83T\x81[\x83o -> \x83N\x83\x89\x83C\x83A\x83\x93\x83g\x88Í\x86\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed encryption algorithms (server to client) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: encryption algorithm server to client: %s", buf);
@@ -4971,10 +4975,11 @@
 	// MAC(Message Authentication Code)\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x82̌\x88\x92\xE8 (2004.12.17 yutaka)
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed MAC algorithms (client to server) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: MAC algorithm client to server: %s", buf);
@@ -4995,10 +5000,11 @@
 
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed MAC algorithms (server to client) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: MAC algorithm server to client: %s", buf);
@@ -5022,10 +5028,11 @@
 	// (2005.7.9 yutaka)
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed compression algorithms (client to server) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: compression algorithm client to server: %s", buf);
@@ -5041,10 +5048,11 @@
 
 	size = get_payload_uint32(pvar, offset);
 	offset += 4;
-	for (i = 0; i < size; i++) {
-		buf[i] = data[offset + i];
+
+	if (size >= sizeof(buf)) {
+		logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed compression algorithms (server to client) is too long.");
 	}
-	buf[i] = 0;
+	strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
 	offset += size;
 
 	logprintf(LOG_LEVEL_VERBOSE, "server proposal: compression algorithm server to client: %s", buf);



Ttssh2-commit メーリングリストの案内