From 38359672a546d87c8b2fb040bf30ebaec2ee3651 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cynapses.org>
Date: Wed, 29 Sep 2010 12:12:14 +0200
Subject: misc: Make sure ssh_analyze_banner has proper length checks.

---
 src/misc.c | 56 +++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 37 insertions(+), 19 deletions(-)

(limited to 'src/misc.c')

diff --git a/src/misc.c b/src/misc.c
index 061eaf3b..abaa7b1a 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -706,8 +706,21 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
       banner = session->serverbanner;
   }
 
-  if (banner == NULL ||
-      strlen(banner) <= 4 ||
+  if (banner == NULL) {
+      ssh_set_error(session, SSH_FATAL, "Invalid banner");
+      return -1;
+  }
+
+  /*
+   * Typical banners e.g. are:
+   *
+   * SSH-1.5-openSSH_5.4
+   * SSH-1.99-openSSH_3.0
+   *
+   * SSH-2.0-something
+   * 012345678901234567890
+   */
+  if (strlen(banner) < 6 ||
       strncmp(banner, "SSH-", 4) != 0) {
     ssh_set_error(session, SSH_FATAL, "Protocol mismatch: %s", banner);
     return -1;
@@ -715,19 +728,15 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
 
   ssh_log(session, SSH_LOG_RARE, "Analyzing banner: %s", banner);
 
-  /*
-   * Typical banners e.g. are:
-   * SSH-1.5-blah
-   * SSH-1.99-blah
-   * SSH-2.0-blah
-   */
   switch(banner[4]) {
     case '1':
       *ssh1 = 1;
-      if (banner[6] == '9') {
-        *ssh2 = 1;
-      } else {
-        *ssh2 = 0;
+      if (strlen(banner) > 6) {
+          if (banner[6] == '9') {
+            *ssh2 = 1;
+          } else {
+            *ssh2 = 0;
+          }
       }
       break;
     case '2':
@@ -741,15 +750,24 @@ int ssh_analyze_banner(ssh_session session, int server, int *ssh1, int *ssh2) {
 
   openssh = strstr(banner, "OpenSSH");
   if (openssh != NULL) {
-    int major, minor;
-    major = strtol(openssh + 8, (char **) NULL, 10);
-    minor = strtol(openssh + 10, (char **) NULL, 10);
-    session->openssh = SSH_VERSION_INT(major, minor, 0);
-    ssh_log(session, SSH_LOG_RARE,
-        "We are talking to an OpenSSH client version: %d.%d (%x)",
-        major, minor, session->openssh);
+      int major, minor;
+
+      /*
+       * The banner is typical:
+       * OpenSSH_5.4
+       * 012345678901234567890
+       */
+      if (strlen(openss) > 9) {
+          major = strtol(openssh + 8, (char **) NULL, 10);
+          minor = strtol(openssh + 10, (char **) NULL, 10);
+          session->openssh = SSH_VERSION_INT(major, minor, 0);
+          ssh_log(session, SSH_LOG_RARE,
+                  "We are talking to an OpenSSH client version: %d.%d (%x)",
+                  major, minor, session->openssh);
+      }
   }
 
+
   return 0;
 }
 
-- 
cgit v1.2.3