ok On Tue, 13 Aug 2024, Tobias Stoeckmann wrote: > This simple additional check hardens sshbuf against linking an > sshbuf into itself as parent/child pair, which could lead to ref > counting issues. > > Purely defensive measure. I am not aware that this could happen > somehwere in the code by now. > > Okay? > > Index: sshbuf.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sshbuf.c,v > diff -u -p -u -p -r1.19 sshbuf.c > --- sshbuf.c 2 Dec 2022 04:40:27 -0000 1.19 > +++ sshbuf.c 13 Aug 2024 16:52:58 -0000 > @@ -55,6 +55,7 @@ sshbuf_check_sanity(const struct sshbuf > SSHBUF_TELL("sanity"); > if (__predict_false(buf == NULL || > (!buf->readonly && buf->d != buf->cd) || > + buf->parent == buf || > buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX || > buf->cd == NULL || > buf->max_size > SSHBUF_SIZE_MAX || > @@ -130,7 +131,8 @@ sshbuf_set_parent(struct sshbuf *child, > if ((r = sshbuf_check_sanity(child)) != 0 || > (r = sshbuf_check_sanity(parent)) != 0) > return r; > - if (child->parent != NULL && child->parent != parent) > + if ((child->parent != NULL && child->parent != parent) || > + child == parent) > return SSH_ERR_INTERNAL_ERROR; > child->parent = parent; > child->parent->refcount++; > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev