Tighten up pointer handling after ssh_pkt_getstring.

ssh_pkt_getstring can return (NULL,0) if the input packet is too short to contain a valid string. In quite a few places we were passing the returned pointer,length pair to a printf function with "%.*s" type format, which seems in practice to have not been dereferencing the pointer but the C standard doesn't actually guarantee that. In one place we were doing the same job by hand with memcpy, and apparently that _can_ dereference the pointer in practice (so a server could have caused a NULL-dereference crash by sending an appropriately malformed "x11" type channel open request). And also I spotted a logging call in the "forwarded-tcpip" channel open handler which had forgotten the field width completely, so it was erroneously relying on the string happening to be NUL-terminated in the received packet. I've tightened all of this up in general by normalising (NULL,0) to ("",0) before calling printf("%.*s"), and replacing the two even more broken cases with the corrected version of that same idiom.
2025-07-16 02:27:32 -05:00 · 2016-02-29 19:38:12 +00:00
parent bc6c15ab5f
commit b49a8db1b4
2 changed files with 19 additions and 13 deletions
--- a/misc.h
+++ b/misc.h
@ -169,4 +169,9 @@ void debug_memdump(void *buf, int len, int L);
  (cp)[0] = (unsigned char)((value) >> 8), \
  (cp)[1] = (unsigned char)(value) )

+/* Replace NULL with the empty string, permitting an idiom in which we
+ * get a string (pointer,length) pair that might be NULL,0 and can
+ * then safely say things like printf("%.*s", length, NULLTOEMPTY(ptr)) */
+#define NULLTOEMPTY(s) ((s)?(s):"")
+
 #endif