From afc9988c933ed74bd4c302d685f1b4d7e1960aab Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Mon, 2 Feb 2015 14:14:12 +0100
Subject: buffer: Improve argument checking in ssh_buffer_pack()

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Aris Adamantiadis <aris@0xbadc0de.be>
---
 include/libssh/buffer.h | 15 ++++++++++++---
 include/libssh/priv.h   | 24 ++++++++++++++++++++++++
 src/buffer.c            | 31 ++++++++++++++++++++++++++-----
 3 files changed, 62 insertions(+), 8 deletions(-)

diff --git a/include/libssh/buffer.h b/include/libssh/buffer.h
index 2aebe7e7..1cc8196c 100644
--- a/include/libssh/buffer.h
+++ b/include/libssh/buffer.h
@@ -52,9 +52,18 @@ int buffer_add_u16(ssh_buffer buffer, uint16_t data);
 int buffer_add_u32(ssh_buffer buffer, uint32_t data);
 int buffer_add_u64(ssh_buffer buffer, uint64_t data);
 int ssh_buffer_add_data(ssh_buffer buffer, const void *data, uint32_t len);
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
-int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...);
-#define ssh_buffer_pack(buffer, format, ...) _ssh_buffer_pack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
+
+int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+                       const char *format,
+                       int argc,
+                       va_list ap);
+int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
+                     const char *format,
+                     int argc,
+                     ...);
+#define ssh_buffer_pack(buffer, format, ...) \
+    _ssh_buffer_pack((buffer), (format), __VA_NARG__(__VA_ARGS__), __VA_ARGS__, SSH_BUFFER_PACK_END)
+
 int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap);
 int _ssh_buffer_unpack(struct ssh_buffer_struct *buffer, const char *format, ...);
 #define ssh_buffer_unpack(buffer, format, ...) _ssh_buffer_unpack((buffer),(format), __VA_ARGS__, SSH_BUFFER_PACK_END)
diff --git a/include/libssh/priv.h b/include/libssh/priv.h
index 0e3bab5b..4adcf898 100644
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -301,5 +301,29 @@ int match_hostname(const char *host, const char *pattern, unsigned int len);
  */
 #define discard_const_p(type, ptr) ((type *)discard_const(ptr))
 
+/**
+ * Get the argument cound of variadic arguments
+ */
+#define __VA_NARG__(...) \
+        (__VA_NARG_(_0, ## __VA_ARGS__, __RSEQ_N()) - 1)
+#define __VA_NARG_(...) \
+        __VA_ARG_N(__VA_ARGS__)
+#define __VA_ARG_N( \
+         _1, _2, _3, _4, _5, _6, _7, _8, _9,_10, \
+        _11,_12,_13,_14,_15,_16,_17,_18,_19,_20, \
+        _21,_22,_23,_24,_25,_26,_27,_28,_29,_30, \
+        _31,_32,_33,_34,_35,_36,_37,_38,_39,_40, \
+        _41,_42,_43,_44,_45,_46,_47,_48,_49,_50, \
+        _51,_52,_53,_54,_55,_56,_57,_58,_59,_60, \
+        _61,_62,_63,N,...) N
+#define __RSEQ_N() \
+        63, 62, 61, 60,                         \
+        59, 58, 57, 56, 55, 54, 53, 52, 51, 50, \
+        49, 48, 47, 46, 45, 44, 43, 42, 41, 40, \
+        39, 38, 37, 36, 35, 34, 33, 32, 31, 30, \
+        29, 28, 27, 26, 25, 24, 23, 22, 21, 20, \
+        19, 18, 17, 16, 15, 14, 13, 12, 11, 10, \
+         9,  8,  7,  6,  5,  4,  3,  2,  1,  0
+
 #endif /* _LIBSSH_PRIV_H */
 /* vim: set ts=4 sw=4 et cindent: */
diff --git a/src/buffer.c b/src/buffer.c
index be25a32f..5eb3bb56 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -688,7 +688,11 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) {
  *                      SSH_ERROR on error
  * @see ssh_buffer_add_format() for format list values.
  */
-int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_list ap){
+int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+                       const char *format,
+                       int argc,
+                       va_list ap)
+{
     int rc = SSH_ERROR;
     const char *p;
     union {
@@ -702,8 +706,14 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
     char *cstring;
     bignum b;
     size_t len;
+    int count;
+
+    for (p = format, count = 0; *p != '\0'; p++, count++) {
+        /* Invalid number of arguments passed */
+        if (count > argc) {
+            return SSH_ERROR;
+        }
 
-    for (p = format; *p != '\0'; p++) {
         switch(*p) {
         case 'b':
             o.byte = (uint8_t)va_arg(ap, unsigned int);
@@ -740,7 +750,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
             break;
         case 'P':
             len = va_arg(ap, size_t);
+
             o.data = va_arg(ap, void *);
+            count++; /* increase argument count */
+
             rc = ssh_buffer_add_data(buffer, o.data, len);
             o.data = NULL;
             break;
@@ -769,6 +782,10 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
         }
     }
 
+    if (argc != count) {
+        return SSH_ERROR;
+    }
+
     if (rc != SSH_ERROR){
         /* verify that the last hidden argument is correct */
         o.dword = va_arg(ap, uint32_t);
@@ -799,12 +816,16 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, const char *format, va_
  * @warning             when using 'P' with a constant size (e.g. 8), do not
  *                      forget to cast to (size_t).
  */
-int _ssh_buffer_pack(struct ssh_buffer_struct *buffer, const char *format, ...){
+int _ssh_buffer_pack(struct ssh_buffer_struct *buffer,
+                     const char *format,
+                     int argc,
+                     ...)
+{
     va_list ap;
     int rc;
 
-    va_start(ap, format);
-    rc = ssh_buffer_pack_va(buffer, format, ap);
+    va_start(ap, argc);
+    rc = ssh_buffer_pack_va(buffer, format, argc, ap);
     va_end(ap);
     return rc;
 }
-- 
cgit v1.2.3