This simple additional check hardens sshbuf against linking an
sshbuf into itself as parent/child pair, which could lead to ref
counting issues.
Purely defensive measure. I am not aware that this could happen
somehwere in the code by now.
Okay?
Index: sshbuf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshbuf.c,v
diff -u -p -u -p -r1.19 sshbuf.c
--- sshbuf.c 2 Dec 2022 04:40:27 -0000 1.19
+++ sshbuf.c 13 Aug 2024 16:52:58 -0000
@@ -55,6 +55,7 @@ sshbuf_check_sanity(const struct sshbuf
SSHBUF_TELL("sanity");
if (__predict_false(buf == NULL ||
(!buf->readonly && buf->d != buf->cd) ||
+ buf->parent == buf ||
buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX ||
buf->cd == NULL ||
buf->max_size > SSHBUF_SIZE_MAX ||
@@ -130,7 +131,8 @@ sshbuf_set_parent(struct sshbuf *child,
if ((r = sshbuf_check_sanity(child)) != 0 ||
(r = sshbuf_check_sanity(parent)) != 0)
return r;
- if (child->parent != NULL && child->parent != parent)
+ if ((child->parent != NULL && child->parent != parent) ||
+ child == parent)
return SSH_ERR_INTERNAL_ERROR;
child->parent = parent;
child->parent->refcount++;
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
