Mercurial > dropbear
view dbutil.c @ 1423:c1c3d5943bfc
Fix null pointer dereference found by libfuzzer
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sun, 21 May 2017 18:53:09 +0800 |
parents | bbc0a0ee3843 |
children | 6b89eb92f872 336cae2238ca 58a74cb829b8 |
line wrap: on
line source
/* * Dropbear - a SSH2 server * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. * * strlcat() is copyright as follows: * Copyright (c) 1998 Todd C. Miller <[email protected]> * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #ifdef __linux__ #define _GNU_SOURCE /* To call clock_gettime() directly */ #include <sys/syscall.h> #endif /* __linux */ #ifdef HAVE_MACH_MACH_TIME_H #include <mach/mach_time.h> #include <mach/mach.h> #endif #include "includes.h" #include "dbutil.h" #include "buffer.h" #include "session.h" #include "atomicio.h" #define MAX_FMT 100 static void generic_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN; static void generic_dropbear_log(int priority, const char* format, va_list param); void (*_dropbear_exit)(int exitcode, const char* format, va_list param) ATTRIB_NORETURN = generic_dropbear_exit; void (*_dropbear_log)(int priority, const char* format, va_list param) = generic_dropbear_log; #if DEBUG_TRACE int debug_trace = 0; #endif #ifndef DISABLE_SYSLOG void startsyslog(const char *ident) { openlog(ident, LOG_PID, LOG_AUTHPRIV); } #endif /* DISABLE_SYSLOG */ /* the "format" string must be <= 100 characters */ void dropbear_close(const char* format, ...) { va_list param; va_start(param, format); _dropbear_exit(EXIT_SUCCESS, format, param); va_end(param); } void dropbear_exit(const char* format, ...) { va_list param; va_start(param, format); _dropbear_exit(EXIT_FAILURE, format, param); va_end(param); } static void generic_dropbear_exit(int exitcode, const char* format, va_list param) { char fmtbuf[300]; snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s", format); _dropbear_log(LOG_INFO, fmtbuf, param); exit(exitcode); } void fail_assert(const char* expr, const char* file, int line) { dropbear_exit("Failed assertion (%s:%d): `%s'", file, line, expr); } static void generic_dropbear_log(int UNUSED(priority), const char* format, va_list param) { char printbuf[1024]; vsnprintf(printbuf, sizeof(printbuf), format, param); fprintf(stderr, "%s\n", printbuf); } /* this is what can be called to write arbitrary log messages */ void dropbear_log(int priority, const char* format, ...) { va_list param; va_start(param, format); _dropbear_log(priority, format, param); va_end(param); } #if DEBUG_TRACE static double debug_start_time = -1; void debug_start_net() { if (getenv("DROPBEAR_DEBUG_NET_TIMESTAMP")) { /* Timestamps start from first network activity */ struct timeval tv; gettimeofday(&tv, NULL); debug_start_time = tv.tv_sec + (tv.tv_usec / 1000000.0); TRACE(("Resetting Dropbear TRACE timestamps")) } } static double time_since_start() { double nowf; struct timeval tv; gettimeofday(&tv, NULL); nowf = tv.tv_sec + (tv.tv_usec / 1000000.0); if (debug_start_time < 0) { debug_start_time = nowf; return 0; } return nowf - debug_start_time; } void dropbear_trace(const char* format, ...) { va_list param; if (!debug_trace) { return; } va_start(param, format); fprintf(stderr, "TRACE (%d) %f: ", getpid(), time_since_start()); vfprintf(stderr, format, param); fprintf(stderr, "\n"); va_end(param); } void dropbear_trace2(const char* format, ...) { static int trace_env = -1; va_list param; if (trace_env == -1) { trace_env = getenv("DROPBEAR_TRACE2") ? 1 : 0; } if (!(debug_trace && trace_env)) { return; } va_start(param, format); fprintf(stderr, "TRACE2 (%d) %f: ", getpid(), time_since_start()); vfprintf(stderr, format, param); fprintf(stderr, "\n"); va_end(param); } #endif /* DEBUG_TRACE */ /* Connect to a given unix socket. The socket is blocking */ #ifdef ENABLE_CONNECT_UNIX int connect_unix(const char* path) { struct sockaddr_un addr; int fd = -1; memset((void*)&addr, 0x0, sizeof(addr)); addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, path, sizeof(addr.sun_path)); fd = socket(PF_UNIX, SOCK_STREAM, 0); if (fd < 0) { TRACE(("Failed to open unix socket")) return -1; } if (connect(fd, (struct sockaddr*)&addr, sizeof(addr)) < 0) { TRACE(("Failed to connect to '%s' socket", path)) m_close(fd); return -1; } return fd; } #endif /* Sets up a pipe for a, returning three non-blocking file descriptors * and the pid. exec_fn is the function that will actually execute the child process, * it will be run after the child has fork()ed, and is passed exec_data. * If ret_errfd == NULL then stderr will not be captured. * ret_pid can be passed as NULL to discard the pid. */ int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) { int infds[2]; int outfds[2]; int errfds[2]; pid_t pid; const int FDIN = 0; const int FDOUT = 1; /* redirect stdin/stdout/stderr */ if (pipe(infds) != 0) { return DROPBEAR_FAILURE; } if (pipe(outfds) != 0) { return DROPBEAR_FAILURE; } if (ret_errfd && pipe(errfds) != 0) { return DROPBEAR_FAILURE; } #if DROPBEAR_VFORK pid = vfork(); #else pid = fork(); #endif if (pid < 0) { return DROPBEAR_FAILURE; } if (!pid) { /* child */ TRACE(("back to normal sigchld")) /* Revert to normal sigchld handling */ if (signal(SIGCHLD, SIG_DFL) == SIG_ERR) { dropbear_exit("signal() error"); } /* redirect stdin/stdout */ if ((dup2(infds[FDIN], STDIN_FILENO) < 0) || (dup2(outfds[FDOUT], STDOUT_FILENO) < 0) || (ret_errfd && dup2(errfds[FDOUT], STDERR_FILENO) < 0)) { TRACE(("leave noptycommand: error redirecting FDs")) dropbear_exit("Child dup2() failure"); } close(infds[FDOUT]); close(infds[FDIN]); close(outfds[FDIN]); close(outfds[FDOUT]); if (ret_errfd) { close(errfds[FDIN]); close(errfds[FDOUT]); } exec_fn(exec_data); /* not reached */ return DROPBEAR_FAILURE; } else { /* parent */ close(infds[FDIN]); close(outfds[FDOUT]); setnonblocking(outfds[FDIN]); setnonblocking(infds[FDOUT]); if (ret_errfd) { close(errfds[FDOUT]); setnonblocking(errfds[FDIN]); } if (ret_pid) { *ret_pid = pid; } *ret_writefd = infds[FDOUT]; *ret_readfd = outfds[FDIN]; if (ret_errfd) { *ret_errfd = errfds[FDIN]; } return DROPBEAR_SUCCESS; } } /* Runs a command with "sh -c". Will close FDs (except stdin/stdout/stderr) and * re-enabled SIGPIPE. If cmd is NULL, will run a login shell. */ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) { char * argv[4]; char * baseshell = NULL; unsigned int i; baseshell = basename(usershell); if (cmd != NULL) { argv[0] = baseshell; } else { /* a login shell should be "-bash" for "/bin/bash" etc */ int len = strlen(baseshell) + 2; /* 2 for "-" */ argv[0] = (char*)m_malloc(len); snprintf(argv[0], len, "-%s", baseshell); } if (cmd != NULL) { argv[1] = "-c"; argv[2] = (char*)cmd; argv[3] = NULL; } else { /* construct a shell of the form "-bash" etc */ argv[1] = NULL; } /* Re-enable SIGPIPE for the executed process */ if (signal(SIGPIPE, SIG_DFL) == SIG_ERR) { dropbear_exit("signal() error"); } /* close file descriptors except stdin/stdout/stderr * Need to be sure FDs are closed here to avoid reading files as root */ for (i = 3; i <= maxfd; i++) { m_close(i); } execv(usershell, argv); } #if DEBUG_TRACE void printhex(const char * label, const unsigned char * buf, int len) { int i; fprintf(stderr, "%s\n", label); for (i = 0; i < len; i++) { fprintf(stderr, "%02x", buf[i]); if (i % 16 == 15) { fprintf(stderr, "\n"); } else if (i % 2 == 1) { fprintf(stderr, " "); } } fprintf(stderr, "\n"); } void printmpint(const char *label, mp_int *mp) { buffer *buf = buf_new(1000); buf_putmpint(buf, mp); printhex(label, buf->data, buf->len); buf_free(buf); } #endif /* Strip all control characters from text (a null-terminated string), except * for '\n', '\r' and '\t'. * The result returned is a newly allocated string, this must be free()d after * use */ char * stripcontrol(const char * text) { char * ret; int len, pos; int i; len = strlen(text); ret = m_malloc(len+1); pos = 0; for (i = 0; i < len; i++) { if ((text[i] <= '~' && text[i] >= ' ') /* normal printable range */ || text[i] == '\n' || text[i] == '\r' || text[i] == '\t') { ret[pos] = text[i]; pos++; } } ret[pos] = 0x0; return ret; } /* reads the contents of filename into the buffer buf, from the current * position, either to the end of the file, or the buffer being full. * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ int buf_readfile(buffer* buf, const char* filename) { int fd = -1; int len; int maxlen; int ret = DROPBEAR_FAILURE; fd = open(filename, O_RDONLY); if (fd < 0) { goto out; } do { maxlen = buf->size - buf->pos; len = read(fd, buf_getwriteptr(buf, maxlen), maxlen); if (len < 0) { if (errno == EINTR || errno == EAGAIN) { continue; } goto out; } buf_incrwritepos(buf, len); } while (len < maxlen && len > 0); ret = DROPBEAR_SUCCESS; out: if (fd >= 0) { m_close(fd); } return ret; } /* get a line from the file into buffer in the style expected for an * authkeys file. * Will return DROPBEAR_SUCCESS if data is read, or DROPBEAR_FAILURE on EOF.*/ /* Only used for ~/.ssh/known_hosts and ~/.ssh/authorized_keys */ #if DROPBEAR_CLIENT || DROPBEAR_SVR_PUBKEY_AUTH int buf_getline(buffer * line, FILE * authfile) { int c = EOF; buf_setpos(line, 0); buf_setlen(line, 0); while (line->pos < line->size) { c = fgetc(authfile); /*getc() is weird with some uClibc systems*/ if (c == EOF || c == '\n' || c == '\r') { goto out; } buf_putbyte(line, (unsigned char)c); } TRACE(("leave getauthline: line too long")) /* We return success, but the line length will be zeroed - ie we just * ignore that line */ buf_setlen(line, 0); out: /* if we didn't read anything before EOF or error, exit */ if (c == EOF && line->pos == 0) { return DROPBEAR_FAILURE; } else { buf_setpos(line, 0); return DROPBEAR_SUCCESS; } } #endif /* make sure that the socket closes */ void m_close(int fd) { int val; if (fd == -1) { return; } do { val = close(fd); } while (val < 0 && errno == EINTR); if (val < 0 && errno != EBADF) { /* Linux says EIO can happen */ dropbear_exit("Error closing fd %d, %s", fd, strerror(errno)); } } void * m_malloc(size_t size) { void* ret; if (size == 0) { dropbear_exit("m_malloc failed"); } ret = calloc(1, size); if (ret == NULL) { dropbear_exit("m_malloc failed"); } return ret; } void * m_strdup(const char * str) { char* ret; ret = strdup(str); if (ret == NULL) { dropbear_exit("m_strdup failed"); } return ret; } void * m_realloc(void* ptr, size_t size) { void *ret; if (size == 0) { dropbear_exit("m_realloc failed"); } ret = realloc(ptr, size); if (ret == NULL) { dropbear_exit("m_realloc failed"); } return ret; } void setnonblocking(int fd) { TRACE(("setnonblocking: %d", fd)) if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) { if (errno == ENODEV) { /* Some devices (like /dev/null redirected in) * can't be set to non-blocking */ TRACE(("ignoring ENODEV for setnonblocking")) } else { dropbear_exit("Couldn't set nonblocking"); } } TRACE(("leave setnonblocking")) } void disallow_core() { struct rlimit lim; lim.rlim_cur = lim.rlim_max = 0; setrlimit(RLIMIT_CORE, &lim); } /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE, with the result in *val */ int m_str_to_uint(const char* str, unsigned int *val) { unsigned long l; errno = 0; l = strtoul(str, NULL, 10); /* The c99 spec doesn't actually seem to define EINVAL, but most platforms * I've looked at mention it in their manpage */ if ((l == 0 && errno == EINVAL) || (l == ULONG_MAX && errno == ERANGE) || (l > UINT_MAX)) { return DROPBEAR_FAILURE; } else { *val = l; return DROPBEAR_SUCCESS; } } /* Returns malloced path. inpath beginning with '/' is returned as-is, otherwise home directory is prepended */ char * expand_homedir_path(const char *inpath) { struct passwd *pw = NULL; if (inpath[0] != '/') { pw = getpwuid(getuid()); if (pw && pw->pw_dir) { int len = strlen(inpath) + strlen(pw->pw_dir) + 2; char *buf = m_malloc(len); snprintf(buf, len, "%s/%s", pw->pw_dir, inpath); return buf; } } /* Fallback */ return m_strdup(inpath); } int constant_time_memcmp(const void* a, const void *b, size_t n) { const char *xa = a, *xb = b; uint8_t c = 0; size_t i; for (i = 0; i < n; i++) { c |= (xa[i] ^ xb[i]); } return c; } #if defined(__linux__) && defined(SYS_clock_gettime) /* CLOCK_MONOTONIC_COARSE was added in Linux 2.6.32 but took a while to reach userspace include headers */ #ifndef CLOCK_MONOTONIC_COARSE #define CLOCK_MONOTONIC_COARSE 6 #endif static clockid_t get_linux_clock_source() { struct timespec ts; if (syscall(SYS_clock_gettime, CLOCK_MONOTONIC_COARSE, &ts) == 0) { return CLOCK_MONOTONIC_COARSE; } if (syscall(SYS_clock_gettime, CLOCK_MONOTONIC, &ts) == 0) { return CLOCK_MONOTONIC; } return -1; } #endif time_t monotonic_now() { #if defined(__linux__) && defined(SYS_clock_gettime) static clockid_t clock_source = -2; if (clock_source == -2) { /* First run, find out which one works. -1 will fall back to time() */ clock_source = get_linux_clock_source(); } if (clock_source >= 0) { struct timespec ts; if (syscall(SYS_clock_gettime, clock_source, &ts) != 0) { /* Intermittent clock failures should not happen */ dropbear_exit("Clock broke"); } return ts.tv_sec; } #endif /* linux clock_gettime */ #if defined(HAVE_MACH_ABSOLUTE_TIME) /* OS X, see https://developer.apple.com/library/mac/qa/qa1398/_index.html */ static mach_timebase_info_data_t timebase_info; if (timebase_info.denom == 0) { mach_timebase_info(&timebase_info); } return mach_absolute_time() * timebase_info.numer / timebase_info.denom / 1e9; #endif /* osx mach_absolute_time */ /* Fallback for everything else - this will sometimes go backwards */ return time(NULL); } void fsync_parent_dir(const char* fn) { #ifdef HAVE_LIBGEN_H char *fn_dir = m_strdup(fn); char *dir = dirname(fn_dir); int dirfd = open(dir, O_RDONLY); if (dirfd != -1) { if (fsync(dirfd) != 0) { TRACE(("fsync of directory %s failed: %s", dir, strerror(errno))) } m_close(dirfd); } else { TRACE(("error opening directory %s for fsync: %s", dir, strerror(errno))) } free(fn_dir); #endif }