rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity
6f7c765ed4
openssh/openssh-6.7p1-coverity.patch
Dmitry Belyavskiy 745da74ea2 Fix self-DoS 
Resolves: CVE-2023-25136
Remove too aggressive coverity fix causing native tests failure
2023-04-13 18:14:19 +02:00

455 lines
16 KiB
Diff
Raw Blame History

diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(oerrno));
+ free(ccname);
return oerrno;
}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
oerrno = errno;
logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
+ free(ccname);
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
/* success */
+ sshbuf_free(b);
return 0;
}
diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
&hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
+ free(dnskey_digest);
return -1;
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest,
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
-
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
cp = strncpy(s, kex, strlen(kex));
+#pragma pop
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
}
- if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
return r;
+ }
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
+ /* coverity[leaked_storage : FALSE] */
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA1"));
return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA256"));
return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by explicit key"));
return SSH_ERR_KEY_REVOKED;
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
*/
/* Use strncpy because we don't necessarily want null termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_name, li->username,
MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
# endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
memset(&ut, 0, sizeof(ut));
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
ut.ut_pid = getpid();
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (ssh_packet_connection_is_on_socket(ssh) &&
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
}
if (nullfd > STDERR_FILENO)
close(nullfd);
+ /* coverity[leaked_handle : FALSE]*/
+ /* coverity[leaked_handle : FALSE]*/
}
char *
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
}
if (devnull > STDERR_FILENO)
close(devnull);
+ /* coverity[leaked_handle : FALSE]*/
return ret;
}
diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
+ /* coverity[leaked_storage : FALSE] */
}
static unsigned long
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(ssh, pmonitor);
/* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
;
if (pmonitor->m_recvfd >= 0)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
s->ptymaster = s->ptyfd;
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
-
+ /* coverity[leaked_handle : FALSE] */
return (0);
error:
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error_f("cannot allocate fds for pty");
- if (tmp1 > 0)
+ if (tmp1 >= 0)
close(tmp1);
- if (tmp2 > 0)
- close(tmp2);
+ /*DEAD CODE if (tmp2 >= 0)
+ close(tmp2);*/
return 0;
}
close(tmp1);
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
- socklen_t salen;
+ socklen_t salen = sizeof(struct sockaddr_storage);
int i;
if (sa == NULL) {
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
pselect_notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
+ free(arg2);
goto out;
}
free(arg2);
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0);
}
if (do_cmd_pid2 > 1) {
kill(do_cmd_pid2, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid2, NULL, 0);
+ (void) waitpid(do_cmd_pid2, NULL, 0);
}
if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
- if (intptr != NULL)
- *intptr = *intptr + 1;
+ /* DEAD CODE intptr is still NULL ;)
+ if (intptr != NULL)
+ *intptr = *intptr + 1; */
}
break;
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
debug_f("invalid tun");
goto done;
}
- if (auth_opts->force_tun_device != -1) {
+ if (auth_opts->force_tun_device >= 0) {
if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun)
goto done;
diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100
+++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
/* Environment specified by admin */
for (i = 0; i < options.num_setenv; i++) {
cp = xstrdup(options.setenv[i]);
+ /* coverity[overwrite_var : FALSE] */
if ((value = strchr(cp, '=')) == NULL) {
/* shouldn't happen; vars are checked in servconf.c */
fatal("Invalid config SetEnv: %s", options.setenv[i]);
}
*value++ = '\0';
child_set_env(&env, &envsize, cp, value);
+ free(cp);
}
/* SSH_CLIENT deprecated */
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
pid = sshpid;
if (pid > 1) {
kill(pid, SIGTERM);
- waitpid(pid, NULL, 0);
+ (void) waitpid(pid, NULL, 0);
}
_exit(1);
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
error("no stat information for %s", fname);
+ free(fname);
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
freezero(rks[i], sizeof(*rks[i]));
}
free(rks);
+ free(device);
return ret;
}
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
if (pkcs11_uri_parse(provider, uri) != 0) {
error("Failed to parse PKCS#11 URI");
+ pkcs11_uri_cleanup(uri);
return NULL;
}
/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
- setegid(getgid());
- setgid(getgid());
+ (void) setegid(getgid());
+ (void) setgid(getgid());
platform_disable_tracing(0); /* strict=no */
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
+ /* coverity[leaked_handle: FALSE]*/
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(ssh);
setproctitle("%s", "[net]");
- if (box != NULL)
+ if (box != NULL) {
ssh_sandbox_child(box);
+ free(box);
+ }
return 0;
}
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)
myproposal[PROPOSAL_KEX_ALGS] = newstr;
- else
+ else {
fatal("No supported key exchange algorithms");
+ free(gss);
+ }
+ /* coverity[leaked_storage: FALSE]*/
}
#endif
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
static char *
diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
oerrno = errno;
error_f("read: %s", strerror(errno));
ssh_digest_free(ctx);
+ ctx = NULL;
errno = oerrno;
r = SSH_ERR_SYSTEM_ERROR;
goto out;
Reference in New Issue View Git Blame Copy Permalink