339 lines
8.4 KiB
C
Executable File
339 lines
8.4 KiB
C
Executable File
/*
|
|
* Dropbear SSH
|
|
*
|
|
* Copyright (c) 2002,2003 Matt Johnston
|
|
* All rights reserved.
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
* in the Software without restriction, including without limitation the rights
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
* furnished to do so, subject to the following conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be included in
|
|
* all copies or substantial portions of the Software.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
* SOFTWARE. */
|
|
|
|
/* Buffer handling routines, designed to avoid overflows/using invalid data */
|
|
|
|
#include "includes.h"
|
|
#include "dbutil.h"
|
|
#include "buffer.h"
|
|
|
|
/* Prevent integer overflows when incrementing buffer position/length.
|
|
* Calling functions should check arguments first, but this provides a
|
|
* backstop */
|
|
#define BUF_MAX_INCR 1000000000
|
|
#define BUF_MAX_SIZE 1000000000
|
|
|
|
/* avoid excessively large numbers, > ~8192 bits */
|
|
#define BUF_MAX_MPINT (8240 / 8)
|
|
|
|
/* Create (malloc) a new buffer of size */
|
|
buffer* buf_new(unsigned int size) {
|
|
|
|
buffer* buf;
|
|
|
|
if (size > BUF_MAX_SIZE) {
|
|
dropbear_exit("buf->size too big");
|
|
}
|
|
|
|
buf = (buffer*)m_malloc(sizeof(buffer));
|
|
|
|
if (size > 0) {
|
|
buf->data = (unsigned char*)m_malloc(size);
|
|
} else {
|
|
buf->data = NULL;
|
|
}
|
|
|
|
buf->size = size;
|
|
buf->pos = 0;
|
|
buf->len = 0;
|
|
|
|
return buf;
|
|
|
|
}
|
|
|
|
/* free the buffer's data and the buffer itself */
|
|
void buf_free(buffer* buf) {
|
|
|
|
m_free(buf->data)
|
|
m_free(buf);
|
|
}
|
|
|
|
/* overwrite the contents of the buffer to clear it */
|
|
void buf_burn(buffer* buf) {
|
|
|
|
m_burn(buf->data, buf->size);
|
|
|
|
}
|
|
|
|
/* resize a buffer, pos and len will be repositioned if required when
|
|
* downsizing */
|
|
void buf_resize(buffer *buf, unsigned int newsize) {
|
|
|
|
if (newsize > BUF_MAX_SIZE) {
|
|
dropbear_exit("buf->size too big");
|
|
}
|
|
|
|
buf->data = m_realloc(buf->data, newsize);
|
|
buf->size = newsize;
|
|
buf->len = MIN(newsize, buf->len);
|
|
buf->pos = MIN(newsize, buf->pos);
|
|
|
|
}
|
|
|
|
/* Create a copy of buf, allocating required memory etc. */
|
|
/* The new buffer is sized the same as the length of the source buffer. */
|
|
buffer* buf_newcopy(buffer* buf) {
|
|
|
|
buffer* ret;
|
|
|
|
ret = buf_new(buf->len);
|
|
ret->len = buf->len;
|
|
memcpy(ret->data, buf->data, buf->len);
|
|
return ret;
|
|
}
|
|
|
|
/* Set the length of the buffer */
|
|
void buf_setlen(buffer* buf, unsigned int len) {
|
|
if (len > buf->size) {
|
|
dropbear_exit("bad buf_setlen");
|
|
}
|
|
buf->len = len;
|
|
}
|
|
|
|
/* Increment the length of the buffer */
|
|
void buf_incrlen(buffer* buf, unsigned int incr) {
|
|
if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
|
|
dropbear_exit("bad buf_incrlen");
|
|
}
|
|
buf->len += incr;
|
|
}
|
|
/* Set the position of the buffer */
|
|
void buf_setpos(buffer* buf, unsigned int pos) {
|
|
|
|
if (pos > buf->len) {
|
|
dropbear_exit("bad buf_setpos");
|
|
}
|
|
buf->pos = pos;
|
|
}
|
|
|
|
/* increment the postion by incr, increasing the buffer length if required */
|
|
void buf_incrwritepos(buffer* buf, unsigned int incr) {
|
|
if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
|
|
dropbear_exit("bad buf_incrwritepos");
|
|
}
|
|
buf->pos += incr;
|
|
if (buf->pos > buf->len) {
|
|
buf->len = buf->pos;
|
|
}
|
|
}
|
|
|
|
/* increment the position by incr, negative values are allowed, to
|
|
* decrement the pos*/
|
|
void buf_incrpos(buffer* buf, int incr) {
|
|
if (incr > BUF_MAX_INCR ||
|
|
(unsigned int)((int)buf->pos + incr) > buf->len
|
|
|| ((int)buf->pos + incr) < 0) {
|
|
dropbear_exit("bad buf_incrpos");
|
|
}
|
|
buf->pos += incr;
|
|
}
|
|
|
|
/* Get a byte from the buffer and increment the pos */
|
|
unsigned char buf_getbyte(buffer* buf) {
|
|
|
|
/* This check is really just ==, but the >= allows us to check for the
|
|
* bad case of pos > len, which should _never_ happen. */
|
|
if (buf->pos >= buf->len) {
|
|
dropbear_exit("bad buf_getbyte");
|
|
}
|
|
return buf->data[buf->pos++];
|
|
}
|
|
|
|
/* Get a bool from the buffer and increment the pos */
|
|
unsigned char buf_getbool(buffer* buf) {
|
|
|
|
unsigned char b;
|
|
b = buf_getbyte(buf);
|
|
if (b != 0)
|
|
b = 1;
|
|
return b;
|
|
}
|
|
|
|
/* put a byte, incrementing the length if required */
|
|
void buf_putbyte(buffer* buf, unsigned char val) {
|
|
|
|
if (buf->pos >= buf->len) {
|
|
buf_incrlen(buf, 1);
|
|
}
|
|
buf->data[buf->pos] = val;
|
|
buf->pos++;
|
|
}
|
|
|
|
/* returns an in-place pointer to the buffer, checking that
|
|
* the next len bytes from that position can be used */
|
|
unsigned char* buf_getptr(buffer* buf, unsigned int len) {
|
|
|
|
if (buf->pos + len > buf->len) {
|
|
dropbear_exit("bad buf_getptr");
|
|
}
|
|
return &buf->data[buf->pos];
|
|
}
|
|
|
|
/* like buf_getptr, but checks against total size, not used length.
|
|
* This allows writing past the used length, but not past the size */
|
|
unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
|
|
|
|
if (buf->pos + len > buf->size) {
|
|
dropbear_exit("bad buf_getwriteptr");
|
|
}
|
|
return &buf->data[buf->pos];
|
|
}
|
|
|
|
/* Return a null-terminated string, it is malloced, so must be free()ed
|
|
* Note that the string isn't checked for null bytes, hence the retlen
|
|
* may be longer than what is returned by strlen */
|
|
unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
|
|
|
|
unsigned int len;
|
|
unsigned char* ret;
|
|
len = buf_getint(buf);
|
|
if (len > MAX_STRING_LEN) {
|
|
dropbear_exit("string too long");
|
|
}
|
|
|
|
if (retlen != NULL) {
|
|
*retlen = len;
|
|
}
|
|
ret = m_malloc(len+1);
|
|
memcpy(ret, buf_getptr(buf, len), len);
|
|
buf_incrpos(buf, len);
|
|
ret[len] = '\0';
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* Just increment the buffer position the same as if we'd used buf_getstring,
|
|
* but don't bother copying/malloc()ing for it */
|
|
void buf_eatstring(buffer *buf) {
|
|
|
|
buf_incrpos( buf, buf_getint(buf) );
|
|
}
|
|
|
|
/* Get an uint32 from the buffer and increment the pos */
|
|
unsigned int buf_getint(buffer* buf) {
|
|
unsigned int ret;
|
|
|
|
LOAD32H(ret, buf_getptr(buf, 4));
|
|
buf_incrpos(buf, 4);
|
|
return ret;
|
|
}
|
|
|
|
/* put a 32bit uint into the buffer, incr bufferlen & pos if required */
|
|
void buf_putint(buffer* buf, int unsigned val) {
|
|
|
|
STORE32H(val, buf_getwriteptr(buf, 4));
|
|
buf_incrwritepos(buf, 4);
|
|
|
|
}
|
|
|
|
/* put a SSH style string into the buffer, increasing buffer len if required */
|
|
void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
|
|
|
|
buf_putint(buf, len);
|
|
buf_putbytes(buf, str, len);
|
|
|
|
}
|
|
|
|
/* put the set of len bytes into the buffer, incrementing the pos, increasing
|
|
* len if required */
|
|
void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
|
|
memcpy(buf_getwriteptr(buf, len), bytes, len);
|
|
buf_incrwritepos(buf, len);
|
|
}
|
|
|
|
|
|
/* for our purposes we only need positive (or 0) numbers, so will
|
|
* fail if we get negative numbers */
|
|
void buf_putmpint(buffer* buf, mp_int * mp) {
|
|
|
|
unsigned int len, pad = 0;
|
|
TRACE(("enter buf_putmpint"))
|
|
|
|
dropbear_assert(mp != NULL);
|
|
|
|
if (SIGN(mp) == MP_NEG) {
|
|
dropbear_exit("negative bignum");
|
|
}
|
|
|
|
/* zero check */
|
|
if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
|
|
len = 0;
|
|
} else {
|
|
/* SSH spec requires padding for mpints with the MSB set, this code
|
|
* implements it */
|
|
len = mp_count_bits(mp);
|
|
/* if the top bit of MSB is set, we need to pad */
|
|
pad = (len%8 == 0) ? 1 : 0;
|
|
len = len / 8 + 1; /* don't worry about rounding, we need it for
|
|
padding anyway when len%8 == 0 */
|
|
|
|
}
|
|
|
|
/* store the length */
|
|
buf_putint(buf, len);
|
|
|
|
/* store the actual value */
|
|
if (len > 0) {
|
|
if (pad) {
|
|
buf_putbyte(buf, 0x00);
|
|
}
|
|
if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
|
|
dropbear_exit("mpint error");
|
|
}
|
|
buf_incrwritepos(buf, len-pad);
|
|
}
|
|
|
|
TRACE(("leave buf_putmpint"))
|
|
}
|
|
|
|
/* Retrieve an mp_int from the buffer.
|
|
* Will fail for -ve since they shouldn't be required here.
|
|
* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
|
|
int buf_getmpint(buffer* buf, mp_int* mp) {
|
|
|
|
unsigned int len;
|
|
len = buf_getint(buf);
|
|
|
|
if (len == 0) {
|
|
mp_zero(mp);
|
|
return DROPBEAR_SUCCESS;
|
|
}
|
|
|
|
if (len > BUF_MAX_MPINT) {
|
|
return DROPBEAR_FAILURE;
|
|
}
|
|
|
|
/* check for negative */
|
|
if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
|
|
return DROPBEAR_FAILURE;
|
|
}
|
|
|
|
if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
|
|
return DROPBEAR_FAILURE;
|
|
}
|
|
|
|
buf_incrpos(buf, len);
|
|
return DROPBEAR_SUCCESS;
|
|
}
|