|
|
2b784c |
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
|
|
|
2b784c |
index d29a03b4..d7283136 100644
|
|
|
2b784c |
--- a/ssh-keyscan.c
|
|
|
2b784c |
+++ b/ssh-keyscan.c
|
|
|
2b784c |
@@ -490,6 +490,15 @@ congreet(int s)
|
|
|
2b784c |
return;
|
|
|
2b784c |
}
|
|
|
2b784c |
|
|
|
2b784c |
+ /*
|
|
|
2b784c |
+ * Read the server banner as per RFC4253 section 4.2. The "SSH-"
|
|
|
2b784c |
+ * protocol identification string may be preceeded by an arbitarily
|
|
|
2b784c |
+ * large banner which we must read and ignore. Loop while reading
|
|
|
2b784c |
+ * newline-terminated lines until we have one starting with "SSH-".
|
|
|
2b784c |
+ * The ID string cannot be longer than 255 characters although the
|
|
|
2b784c |
+ * preceeding banner lines may (in which case they'll be discarded
|
|
|
2b784c |
+ * in multiple iterations of the outer loop).
|
|
|
2b784c |
+ */
|
|
|
2b784c |
for (;;) {
|
|
|
2b784c |
memset(buf, '\0', sizeof(buf));
|
|
|
2b784c |
bufsiz = sizeof(buf);
|
|
|
2b784c |
@@ -517,6 +526,11 @@ congreet(int s)
|
|
|
2b784c |
conrecycle(s);
|
|
|
2b784c |
return;
|
|
|
2b784c |
}
|
|
|
2b784c |
+ if (cp >= buf + sizeof(buf)) {
|
|
|
2b784c |
+ error("%s: greeting exceeds allowable length", c->c_name);
|
|
|
2b784c |
+ confree(s);
|
|
|
2b784c |
+ return;
|
|
|
2b784c |
+ }
|
|
|
2b784c |
if (*cp != '\n' && *cp != '\r') {
|
|
|
2b784c |
error("%s: bad greeting", c->c_name);
|
|
|
2b784c |
confree(s);
|
|
|
2b784c |
diff --git a/sshsig.c b/sshsig.c
|
|
|
2b784c |
index 1e3b6398..eb2a931e 100644
|
|
|
2b784c |
--- a/sshsig.c
|
|
|
2b784c |
+++ b/sshsig.c
|
|
|
2b784c |
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
|
|
|
2b784c |
{
|
|
|
2b784c |
char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
|
|
|
2b784c |
ssize_t n, total = 0;
|
|
|
2b784c |
- struct ssh_digest_ctx *ctx;
|
|
|
2b784c |
+ struct ssh_digest_ctx *ctx = NULL;
|
|
|
2b784c |
int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
|
|
|
2b784c |
struct sshbuf *b = NULL;
|
|
|
2b784c |
|
|
|
2b784c |
@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
|
|
|
2b784c |
/* success */
|
|
|
2b784c |
r = 0;
|
|
|
2b784c |
out:
|
|
|
2b784c |
+ oerrno = errno;
|
|
|
2b784c |
sshbuf_free(b);
|
|
|
2b784c |
ssh_digest_free(ctx);
|
|
|
2b784c |
explicit_bzero(hash, sizeof(hash));
|
|
|
2b784c |
+ errno = oerrno;
|
|
|
2b784c |
return r;
|
|
|
2b784c |
}
|
|
|
2b784c |
|