rutwa189 / rpms / openssh

Forked from rpms/openssh a year ago
Clone
2b784c
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
2b784c
index d29a03b4..d7283136 100644
2b784c
--- a/ssh-keyscan.c
2b784c
+++ b/ssh-keyscan.c
2b784c
@@ -490,6 +490,15 @@ congreet(int s)
2b784c
 		return;
2b784c
 	}
2b784c
 
2b784c
+	/*
2b784c
+	 * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
2b784c
+	 * protocol identification string may be preceeded by an arbitarily
2b784c
+	 * large banner which we must read and ignore.  Loop while reading
2b784c
+	 * newline-terminated lines until we have one starting with "SSH-".
2b784c
+	 * The ID string cannot be longer than 255 characters although the
2b784c
+	 * preceeding banner lines may (in which case they'll be discarded
2b784c
+	 * in multiple iterations of the outer loop).
2b784c
+	 */
2b784c
 	for (;;) {
2b784c
 		memset(buf, '\0', sizeof(buf));
2b784c
 		bufsiz = sizeof(buf);
2b784c
@@ -517,6 +526,11 @@ congreet(int s)
2b784c
 		conrecycle(s);
2b784c
 		return;
2b784c
 	}
2b784c
+	if (cp >= buf + sizeof(buf)) {
2b784c
+		error("%s: greeting exceeds allowable length", c->c_name);
2b784c
+		confree(s);
2b784c
+		return;
2b784c
+	}
2b784c
 	if (*cp != '\n' && *cp != '\r') {
2b784c
 		error("%s: bad greeting", c->c_name);
2b784c
 		confree(s);
2b784c
diff --git a/sshsig.c b/sshsig.c
2b784c
index 1e3b6398..eb2a931e 100644
2b784c
--- a/sshsig.c
2b784c
+++ b/sshsig.c
2b784c
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
2b784c
 {
2b784c
 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
2b784c
 	ssize_t n, total = 0;
2b784c
-	struct ssh_digest_ctx *ctx;
2b784c
+	struct ssh_digest_ctx *ctx = NULL;
2b784c
 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
2b784c
 	struct sshbuf *b = NULL;
2b784c
 
2b784c
@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
2b784c
 	/* success */
2b784c
 	r = 0;
2b784c
  out:
2b784c
+	oerrno = errno;
2b784c
 	sshbuf_free(b);
2b784c
 	ssh_digest_free(ctx);
2b784c
 	explicit_bzero(hash, sizeof(hash));
2b784c
+	errno = oerrno;
2b784c
 	return r;
2b784c
 }
2b784c