lib/libssh2
1
0
Fork 0
mirror of https://github.com/libssh2/libssh2.git synced 2025-11-20 02:42:09 +03:00
Code Activity

kex.c: use string_buf in ecdh_sha2_nistp (#551)

Browse Source 
* kex.c: use string_buf in ecdh_sha2_nistp

file: kex.c

notes:
use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data
This commit is contained in:
Will Cosgrove
2021-01-30 19:32:14 -08:00
committed by GitHub
parent 1f76151c92
commit c69f1f27dc
1 changed files with 23 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/kex.c
View File

@@ -1752,26 +1752,24 @@ static int ecdh_sha2_nistp(LIBSSH2_SESSION *session, libssh2_curve_type type,
/* parse INIT reply data */ /* parse INIT reply data */
/* host key K_S */ /* host key K_S */
unsigned char *s = data + 1; /* Advance past packet type */
unsigned char *server_public_key; unsigned char *server_public_key;
size_t server_public_key_len; size_t server_public_key_len;
size_t host_sig_len; struct string_buf buf;
session->server_hostkey_len = buf.data = data;
_libssh2_ntohu32((const unsigned char *)s); buf.len = data_len;
s += 4; buf.dataptr = buf.data;
buf.dataptr++; /* Advance past packet type */
session->server_hostkey = LIBSSH2_ALLOC(session, if(_libssh2_copy_string(session, &buf, &(session->server_hostkey),
session->server_hostkey_len); &server_public_key_len)) {
if(!session->server_hostkey) { ret = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
ret = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, "Unable to allocate memory for a copy "
"Unable to allocate memory for a copy " "of the host key");
"of the host key");
goto clean_exit; goto clean_exit;
} }
memcpy(session->server_hostkey, s, session->server_hostkey_len); session->server_hostkey_len = (uint32_t)server_public_key_len;
s += session->server_hostkey_len;
#if LIBSSH2_MD5 #if LIBSSH2_MD5
{ {
@@ -1870,19 +1868,20 @@ static int ecdh_sha2_nistp(LIBSSH2_SESSION *session, libssh2_curve_type type,
} }
/* server public key Q_S */ /* server public key Q_S */
server_public_key_len = _libssh2_ntohu32((const unsigned char *)s); if(_libssh2_get_string(&buf, &server_public_key,
s += 4; &server_public_key_len)) {
ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO,
server_public_key = s; "Unexpected key length");
s += server_public_key_len; goto clean_exit;
}
/* server signature */ /* server signature */
host_sig_len = _libssh2_ntohu32((const unsigned char *)s); if(_libssh2_get_string(&buf, &exchange_state->h_sig,
s += 4; &(exchange_state->h_sig_len))) {
ret = _libssh2_error(session, LIBSSH2_ERROR_HOSTKEY_INIT,
exchange_state->h_sig = s; "Unexpected ecdh server sig length");
exchange_state->h_sig_len = host_sig_len; goto clean_exit;
s += host_sig_len; }
/* Compute the shared secret K */ /* Compute the shared secret K */
rc = _libssh2_ecdh_gen_k(&exchange_state->k, private_key, rc = _libssh2_ecdh_gen_k(&exchange_state->k, private_key,