aboutsummaryrefslogtreecommitdiff
path: root/src/misc.c
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cynapses.org>2010-09-29 12:12:14 +0200
committerAndreas Schneider <asn@cynapses.org>2010-09-29 12:12:14 +0200
commit38359672a546d87c8b2fb040bf30ebaec2ee3651 (patch)
tree61ed8d695e06f52fc8cfc08baff69e5a3ad57d99 /src/misc.c
parent1b471256d4371f4789da6fa345ead4015623abbe (diff)
downloadlibssh-38359672a546d87c8b2fb040bf30ebaec2ee3651.tar.gz
libssh-38359672a546d87c8b2fb040bf30ebaec2ee3651.tar.xz
libssh-38359672a546d87c8b2fb040bf30ebaec2ee3651.zip
misc: Make sure ssh_analyze_banner has proper length checks.
Diffstat (limited to 'src/misc.c')
-rw-r--r--src/misc.c56
1 files changed, 37 insertions, 19 deletions
diff --git a/src/misc.c b/src/misc.c
index 061eaf3b..abaa7b1a 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -706,8 +706,21 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
banner = session->serverbanner;
}
- if (banner == NULL ||
- strlen(banner) <= 4 ||
+ if (banner == NULL) {
+ ssh_set_error(session, SSH_FATAL, "Invalid banner");
+ return -1;
+ }
+
+ /*
+ * Typical banners e.g. are:
+ *
+ * SSH-1.5-openSSH_5.4
+ * SSH-1.99-openSSH_3.0
+ *
+ * SSH-2.0-something
+ * 012345678901234567890
+ */
+ if (strlen(banner) < 6 ||
strncmp(banner, "SSH-", 4) != 0) {
ssh_set_error(session, SSH_FATAL, "Protocol mismatch: %s", banner);
return -1;
@@ -715,19 +728,15 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
ssh_log(session, SSH_LOG_RARE, "Analyzing banner: %s", banner);
- /*
- * Typical banners e.g. are:
- * SSH-1.5-blah
- * SSH-1.99-blah
- * SSH-2.0-blah
- */
switch(banner[4]) {
case '1':
*ssh1 = 1;
- if (banner[6] == '9') {
- *ssh2 = 1;
- } else {
- *ssh2 = 0;
+ if (strlen(banner) > 6) {
+ if (banner[6] == '9') {
+ *ssh2 = 1;
+ } else {
+ *ssh2 = 0;
+ }
}
break;
case '2':
@@ -741,15 +750,24 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
openssh = strstr(banner, "OpenSSH");
if (openssh != NULL) {
- int major, minor;
- major = strtol(openssh + 8, (char **) NULL, 10);
- minor = strtol(openssh + 10, (char **) NULL, 10);
- session->openssh = SSH_VERSION_INT(major, minor, 0);
- ssh_log(session, SSH_LOG_RARE,
- "We are talking to an OpenSSH client version: %d.%d (%x)",
- major, minor, session->openssh);
+ int major, minor;
+
+ /*
+ * The banner is typical:
+ * OpenSSH_5.4
+ * 012345678901234567890
+ */
+ if (strlen(openss) > 9) {
+ major = strtol(openssh + 8, (char **) NULL, 10);
+ minor = strtol(openssh + 10, (char **) NULL, 10);
+ session->openssh = SSH_VERSION_INT(major, minor, 0);
+ ssh_log(session, SSH_LOG_RARE,
+ "We are talking to an OpenSSH client version: %d.%d (%x)",
+ major, minor, session->openssh);
+ }
}
+
return 0;
}