scmno****@osdn*****
scmno****@osdn*****
2018年 1月 11日 (木) 22:19:57 JST
Tera TermRevision: 7018
http://sourceforge.jp/projects/ttssh2/scm/svn/commits/7018
Author: doda
Date: 2018-01-11 22:19:57 +0900 (Thu, 11 Jan 2018)
Log Message:
-----------
サーバからの SSH_MSG_KEXINIT で、name-list が長すぎる時に落ちるのを修正
name-list を格納する為のバッファのサイズが 1024 バイトで、name-list が
それより長かった場合に BoF を起こしていた。
OpenSSH が対応している暗号方式をすべて有効にしても 1024 バイトには
行かないので通常は問題とならないが、悪意のあるサーバに接続した時に
問題となる可能性がある。
OpenSSH でも以下のように設定すれば再現が可能。
Ciphers chach****@opens*****,chach****@opens*****,chacha20…略…ssh.com,aes256-ctr
Modified Paths:
--------------
trunk/doc/en/html/about/history.html
trunk/doc/ja/html/about/history.html
trunk/ttssh2/ttxssh/ssh.c
-------------- next part --------------
Modified: trunk/doc/en/html/about/history.html
===================================================================
--- trunk/doc/en/html/about/history.html 2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/doc/en/html/about/history.html 2018-01-11 13:19:57 UTC (rev 7018)
@@ -2976,6 +2976,7 @@
<!--li>\x83V\x83\x8A\x83A\x83\x8B\x83|\x81[\x83g\x90ڑ\xB1\x8E\x9E\x82\xC9 <a href="../menu/file.html">[File]</a> \x83\x81\x83j\x83\x85\x81[\x82\xCC [SSH SCP] \x82\xAA\x96\xB3\x8C\xF8\x82ɂȂ\xE7\x82Ȃ\xA2\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li-->
<li>When using aes12****@opens***** or aes25****@opens***** as symmetric cipher algorithm, connection is terminated if MAC algorithm cannot negotiate.</li>
<li>When using aes12****@opens***** or aes25****@opens***** as symmetric cipher algorithm, un-used MAC algorithm is displayed on "About TTSSH" dialog.</li>
+ <li>Application fault is occurred if server proposes a very long string in the algorithm negotiation.</li>
</ul>
</li>
</ul>
Modified: trunk/doc/ja/html/about/history.html
===================================================================
--- trunk/doc/ja/html/about/history.html 2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/doc/ja/html/about/history.html 2018-01-11 13:19:57 UTC (rev 7018)
@@ -2982,6 +2982,7 @@
<li>\x83V\x83\x8A\x83A\x83\x8B\x83|\x81[\x83g\x90ڑ\xB1\x8E\x9E\x82\xC9 <a href="../menu/file.html">[File]</a> \x83\x81\x83j\x83\x85\x81[\x82\xCC [SSH SCP] \x82\xAA\x96\xB3\x8C\xF8\x82ɂȂ\xE7\x82Ȃ\xA2\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
<li>\x88Í\x86\x95\xFB\x8E\xAE\x82\xC5 aes12****@opens***** \x82܂\xBD\x82\xCD aes25****@opens***** \x82\xF0\x8Eg\x97p\x8E\x9E\x81AMAC \x95\xFB\x8E\xAE\x82̃l\x83S\x83V\x83G\x81[\x83V\x83\x87\x83\x93\x82\xAA\x8Ds\x82\xA6\x82Ȃ\xA9\x82\xC1\x82\xBD\x8E\x9E\x82ɐڑ\xB1\x82\xF0\x90\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
<li>\x88Í\x86\x95\xFB\x8E\xAE\x82\xC5 aes12****@opens***** \x82܂\xBD\x82\xCD aes25****@opens***** \x82\xF0\x8Eg\x97p\x8E\x9E\x81A"About TTSSH" \x83_\x83C\x83A\x83\x8D\x83O\x82Ŏg\x97p\x82\xB5\x82Ă\xA2\x82Ȃ\xA2 MAC \x95\xFB\x8E\xAE\x82\xF0\x95\\x8E\xA6\x82\xB7\x82\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
+ <li>\x88Í\x86\x95\x{33AE4D9}\x82̃l\x83S\x83V\x83G\x81[\x83V\x83\x87\x83\x93\x8E\x9E\x81A\x83T\x81[\x83o\x82̒\xF1\x88Ă\xAA\x92\xB7\x82\xB7\x82\xAC\x82鎞\x82ɗ\x8E\x82\xBF\x82\xE9\x96\xE2\x91\xE8\x82\xF0\x8FC\x90\xB3\x82\xB5\x82\xBD\x81B</li>
</ul>
</li>
</ul>
Modified: trunk/ttssh2/ttxssh/ssh.c
===================================================================
--- trunk/ttssh2/ttxssh/ssh.c 2018-01-11 13:19:52 UTC (rev 7017)
+++ trunk/ttssh2/ttxssh/ssh.c 2018-01-11 13:19:57 UTC (rev 7018)
@@ -4827,7 +4827,7 @@
{
char buf[1024];
char *data;
- int len, i, size;
+ int len, size;
int offset = 0;
char *msg = NULL;
char tmp[1024+512];
@@ -4883,10 +4883,11 @@
// \x83L\x81[\x8C\xF0\x8A\xB7\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed kex algorithms is too long.");
}
- buf[i] = '\0'; // null-terminate
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: KEX algorithm: %s", buf);
@@ -4903,10 +4904,11 @@
// \x83z\x83X\x83g\x83L\x81[\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed hostkey algorithms is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: server host key algorithm: %s", buf);
@@ -4931,10 +4933,11 @@
// \x83N\x83\x89\x83C\x83A\x83\x93\x83g -> \x83T\x81[\x83o\x88Í\x86\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed encryption algorithms (client to server) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: encryption algorithm client to server: %s", buf);
@@ -4951,10 +4954,11 @@
// \x83T\x81[\x83o -> \x83N\x83\x89\x83C\x83A\x83\x93\x83g\x88Í\x86\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x83`\x83F\x83b\x83N
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed encryption algorithms (server to client) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: encryption algorithm server to client: %s", buf);
@@ -4971,10 +4975,11 @@
// MAC(Message Authentication Code)\x83A\x83\x8B\x83S\x83\x8A\x83Y\x83\x80\x82̌\x88\x92\xE8 (2004.12.17 yutaka)
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed MAC algorithms (client to server) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: MAC algorithm client to server: %s", buf);
@@ -4995,10 +5000,11 @@
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed MAC algorithms (server to client) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: MAC algorithm server to client: %s", buf);
@@ -5022,10 +5028,11 @@
// (2005.7.9 yutaka)
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed compression algorithms (client to server) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: compression algorithm client to server: %s", buf);
@@ -5041,10 +5048,11 @@
size = get_payload_uint32(pvar, offset);
offset += 4;
- for (i = 0; i < size; i++) {
- buf[i] = data[offset + i];
+
+ if (size >= sizeof(buf)) {
+ logputs(LOG_LEVEL_WARNING, __FUNCTION__ ": server proposed compression algorithms (server to client) is too long.");
}
- buf[i] = 0;
+ strncpy_s(buf, sizeof(buf), data+offset, _TRUNCATE);
offset += size;
logprintf(LOG_LEVEL_VERBOSE, "server proposal: compression algorithm server to client: %s", buf);