1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Commit Graph

5863 Commits

Author SHA1 Message Date
Simon Tatham
6aa1dcb1ca Remove assertion that len != 0 in ldisc_send.
A user reported another situation in which that assertion can fail: if
you paste text into the terminal that consists 100% of characters not
available in the CONF_line_codepage character set, then the
translation step generates the empty string as output, and that gets
passed to ldisc_send by term_paste without checking.

Previous bugs of this kind (see commits 4634cd47f7 and 43a63019f5)
were fixed by adding a check before calling ldisc_send. But in commit
4634cd47f7 I said that probably at some point the right fix would be
to remove the assertion in ldisc_send itself, so that passing len==0
becomes legal. (The assertion was there in the first place to catch
cases where len==0 was used with its obsolete special meaning of
signalling 'please update your status'.)

Well, I think it's finally time. The assertion is removed: it's now
legal again to call ldisc_send with an empty buffer, and its meaning
is no longer the archaic special thing, but the trivial one of sending
zero characters through the line discipline.

(cherry picked from commit cd3e917fd0)
2020-06-14 15:49:36 +01:00
Simon Tatham
d527b1a886 uxucs.c: fix type of wcrtomb return value.
wcrtomb returns a size_t, so it's silly to immediately assign it into
an int variable. Apparently running gcc with LTO enabled points this
out as an error.

This was benign as far as I can see: the obvious risk of integer
overflow could only happen if the OS wanted to convert a single wide
character into more than 2^31 bytes, and the test of the return value
against (size_t)-1 for an error check seems to work anyway in
practice, although I suspect that's only because of implementation-
defined behaviour in gcc at the point where the size_t is narrowed to
a signed int.

(cherry picked from commit 99f5fa34ab)
2020-06-14 15:49:36 +01:00
Simon Tatham
c39f6a2223 sshserver.c: fix prototype of mainchan_new.
Again, there was a missing #include in that file which meant that the
definition of the function was never being checked against the
declaration visible to other source files.

(cherry picked from commit c5aa7fc31c)
2020-06-14 15:49:36 +01:00
Simon Tatham
602656eee7 fuzzterm.c: fix prototypes of stub dlg functions.
I'd forgotten to #include "dialog.h" in that file, which meant nothing
was checking the prototypes of the stub implementations of the dlg_*
function family against the real versions. They almost all needed a
'void *dlg' parameter updating to 'dlgparam *dp', which is a change
dating from commit 3aae1f9d76 nearly two years ago. And a handful of
them also still had 'int' that should be now have become 'bool'.

(cherry picked from commit c373fe979f)
2020-06-14 15:49:36 +01:00
Simon Tatham
426a2048cc pty_backend_create: set up SIGCHLD handler earlier.
Mark Wooding points out that when running with the +ut flag, we close
pty_utmp_helper_pipe during pty backend setup, which causes the
previously forked helper process to terminate. If that termination
happens quickly enough, then the code later in pty_backend_create
won't have set up the SIGCHLD handler and its pipe yet, so when we get
to the main event loop, we'll fail to notice that subprocess waiting
to be reaped, and leave it lying around as a zombie.

An easy fix is to move the handler and pipe setup to before the code
that potentially closes pty_utmp_helper_pipe, so that there isn't a
race condition any more.

(cherry picked from commit 7ffa6ed41e)
2020-06-14 15:49:36 +01:00
Jacob Nevins
b22b4cc19f On Windows, show hidden mouse pointer on error.
If a terminal window closed with a popup (due to a network error,
for instance) while the mouse pointer was hidden by 'Hide mouse
pointer when typing in window', the mouse pointer could remain hidden
while over the terminal window, making it hard to navigate to the
popup.

(cherry picked from commit d9c4ce9fd8)
2020-06-14 15:49:36 +01:00
Simon Tatham
8896cf55bc gtkfont: use PANGO_PIXELS_CEIL to work out font metrics.
Colin reports that on betas of Ubuntu 20.04, Pango has switched to
getting its font metrics from HarfBuzz, and a side effect is
apparently that they're being returned in the full precision of
PANGO_SCALE fixed point.

Previously, Pango appears to have been returning values that were
always a whole number of pixels scaled by PANGO_SCALE. Moreover, it
looks as if it was rounding the font ascent and descent _up_ to a
whole number of pixels, rather than rounding to nearest. But our code
rounds to nearest, which means that now the same font gets allocated
fewer vertical pixels, which can be enough to cut off some ascenders
or descenders.

Pango already provides the macro PANGO_PIXELS_CEIL, so it's easy to
switch over to using it. This should arrange that any text that fits
within the font's stated ascent/descent measurements will also fit in
the character cell.

(cherry picked from commit f9a46a9581)
2020-06-14 15:49:36 +01:00
Simon Tatham
b267f35cf7 gtk: fill in missing case in scroll_event().
If gdk_event_get_scroll_deltas() return failure for a given
GdkEventScroll, it doesn't follow that that event has no usable
scrolling action in it at all. The fallback is to call
gdk_event_get_scroll_direction() instead, which is less precise but
still gives _something_ you can use. So in that situation, instead of
just returning false, we can fall through to the handling we use for
pre-GTK3 scroll events (which are always imprecise).

In particular, I've noticed recently that if you run GTK 3 PuTTY in
the virtual X display created by vnc4server, and connect to it using
xtightvncviewer, then scroll-wheel actions passed through from the VNC
client will cause scroll_event() to receive low-res GdkEventScroll
structures of exactly this kind. So scroll-wheel activity on the
terminal window wasn't causing a scroll in that environment, and with
this patch, it does.

(cherry picked from commit 0fd30113f1)
2020-06-14 15:49:36 +01:00
Simon Tatham
9331bb3c57 Fix null-dereference in ssh2_channel_response.
In the SSH-2 connection layer, an outstanding_channel_request
structure comes with a handler to be called back with the reply
packet, when the other end sends one. But sometimes it doesn't - if
the channel begins to close before the request has been replied to -
in which case the handler function is called with a NULL packet
pointer.

The common ssh2_channel_response function that handles most of the
client-side channel requests was not prepared to cope with that
pointer being null. Fixed by making it handle a null return the same
as CHANNEL_FAILURE.

(cherry picked from commit e4b6a7efd2)
2020-06-14 15:49:36 +01:00
Simon Tatham
464ab136c2 Cope with "delete_window" event on the GTK config box.
That causes the config dialog to terminate with result -1, which
wasn't handled at all by the result-receiving code. So GTK PuTTY would
continue running its main loop even though it had no windows open and
wasn't ever planning to do anything.

(cherry picked from commit 4fc5d7a5f5)
2020-06-14 15:49:36 +01:00
Simon Tatham
fee2e42be6 uxser: add a missing uxsel_del.
If we close a serial port fd, we shouldn't leave it active in uxsel.
That never ends well.

(cherry picked from commit 6b77fc627a)
2020-06-14 15:49:36 +01:00
Simon Tatham
fade8e81bf kh2reg: stop using deprecated base64.decodestring.
Python 3 gave me a warning that I should have been using decodebytes
instead.

(cherry picked from commit 1efded20a1)
2020-06-14 15:49:36 +01:00
Simon Tatham
ee26ab8617 kh2reg: fix Python 3 iterator bug with multiple hostnames.
A known_hosts line can have multiple comma-separated hostnames on it,
or more usually a hostname and an IP address.

In the RSA and DSA key handlers, I was making a list of the integer
parameters of the public key by using the 'map' function, and then
iterating over it once per hostname on the line. But in Python 3, the
'map' function returns an iterator, not a list, so after you've
iterated to its end once, it's empty, and iterating over it a second
time stops immediately. As a result, the registry line for the second
hostname was coming out empty.

(cherry picked from commit 143f8a2d10)
2020-06-14 15:49:36 +01:00
Simon Tatham
f86f396578 Fix mp_{eq,hs}_integer(tiny, huge).
The comparison functions between an mp_int and an integer worked by
walking along the mp_int, comparing each of its words to the
corresponding word of the integer. When they ran out of mp_int, they'd
stop.

But this overlooks the possibility that they might not have run out of
_integer_ yet! If BIGNUM_INT_BITS is defined to be less than the size
of a uintmax_t, then comparing (say) the uintmax_t 0x8000000000000001
against a one-word mp_int containing 0x0001 would return equality,
because it would never get as far as spotting the high bit of the
integer.

Fixed by iterating up to the max of the number of BignumInts in the
mp_int and the number that cover a uintmax_t. That means we have to
use mp_word() instead of a direct array lookup to get the mp_int words
to compare against, since now the word indices might be out of range.

(cherry picked from commit 289d8873ec)
2020-06-14 15:49:36 +01:00
Simon Tatham
b2e5b20ab7 mpint: clean up handling of uintmax_t.
Functions like mp_copy_integer_into, mp_add_integer_into and
mp_hs_integer all take an ordinary C integer in the form of a
uintmax_t, and perform an operation between that and an mp_int. In
order to do that, they have to break it up into some number of
BignumInt, via bit shifts.

But in C, shifting by an amount equal to or greater than the width of
the type is undefined behaviour, and you risk the compiler generating
nonsense or complaining at compile time. I did various dodges in those
functions to try to avoid that, but didn't manage to use the same
idiom everywhere. Sometimes I'd leave the integer in its original form
and shift it right by increasing multiples of BIGNUM_INT_BITS;
sometimes I'd shift it down in place every time. And mostly I'd do the
conditional shift by checking against sizeof(n), but once I did it by
shifting by half the word and then the other half.

Now refactored so that there's a pair of functions to shift a
uintmax_t left or right by BIGNUM_INT_BITS in what I hope is a UB-safe
manner, and changed all the code I could find to use them.

(cherry picked from commit 3ea69c290e)
2020-06-14 15:49:36 +01:00
Simon Tatham
45e4fbf207 Fix handling of large RHS in mp_add_integer_into.
While looking over the code for other reasons, I happened to notice
that the internal function mp_add_masked_integer_into was using a
totally wrong condition to check whether it was about to do an
out-of-range right shift: it was comparing a shift count measured in
bits against BIGNUM_INT_BYTES.

The resulting bug hasn't shown up in the code so far, which I assume
is just because no caller is passing any RHS to mp_add_integer_into
bigger than about 1 or 2. And it doesn't show up in the test suite
because I hadn't tested those functions. Now I am testing them, and
the newly added test fails when built for 16-bit BignumInt if you back
out the actual fix in this commit.

(cherry picked from commit 921118dbea)
2020-06-14 15:49:36 +01:00
Simon Tatham
5b45c32ab7 uxpty.c: add a missing include.
This file exports several functions defined in sshserver.h, and the
declarations weren't being type-checked against the definitions.

(cherry picked from commit 37d91aabff)
2020-06-14 15:49:36 +01:00
Simon Tatham
11d67b5a91 uxpgnt --askpass: explicitly fflush(stdout) on exit.
I'm not really sure why that's necessary: by my understanding of the C
standard, it shouldn't be. But my observation is that when compiling
with {Address,Leak} Sanitiser enabled, pageant --askpass can somehow
manage to exit without having actually written the passphrase to its
standard output.

(cherry picked from commit c618d6baac)
2020-06-14 15:49:36 +01:00
Simon Tatham
706eb63c31 Minor memory leaks in Pageant client code.
(cherry picked from commit 8677ee00fb)
2020-06-14 15:49:36 +01:00
Simon Tatham
b29af6df36 Improve stop-bits messages in serial setup.
On Windows, due to a copy-paste goof, the message that should have
read "Configuring n stop bits" instead ended with "data bits".

While I'm here, I've arranged that the "1 stop bit" case of that
message is in the singular. And then I've done the same thing again on
Unix, because I noticed that message was unconditionally plural too.

(cherry picked from commit bdb7b47a5e)
2020-06-14 15:49:36 +01:00
Simon Tatham
eccd4bf781 pollwrap: stop returning unasked-for rwx statuses.
The sets of poll(2) events that we check in order to return SELECT_R
and SELECT_W overlap: to be precise, they have POLLERR in common. So
if an fd signals POLLERR, then pollwrap_get_fd_rwx will respond by
saying that it has both SELECT_R and SELECT_W available on it - even
if the caller had only asked for one of those.

In other words, you can get a spurious SELECT_W notification on an fd
that you never asked for SELECT_W on in the first place. This
definitely isn't what I'd meant that API to do.

In particular, if a socket in the middle of an asynchronous connect()
signals POLLERR, then Unix Plink will call select_result for it with
SELECT_R and then SELECT_W respectively. The former will notice that
it's got an error condition and call plug_closing - and _then_ the
latter will decide that it's writable and set s->connected! The plan
was to only select it for write until it was connected, but this bug
in pollwrap was defeating that plan.

Now pollwrap_get_fd_rwx should only ever return a set of rwx flags
that's a subset of the one that the client asked for via
pollwrap_add_fd_rwx.

(cherry picked from commit 78974fce89)
2020-06-14 15:49:36 +01:00
Simon Tatham
67ca9703be Fix minor memory leak in psftp batch mode.
Spotted by Leak Sanitiser, while I was investigating the PSFTP /
proftpd issue mentioned in the previous commit (with ASan on as
usual).

The two very similar loops that read PSFTP commands from the
interactive prompt and a batch file differed in one respect: only one
of them remembered to free the command afterwards. Now I've moved the
freeing code out into a subroutine that both loops can use.

(cherry picked from commit bf0f323fb4)
2020-06-14 15:49:36 +01:00
Simon Tatham
aed81648cc Fix a deadlock in SFTP upload.
I tried to do an SFTP upload through connection sharing the other day
and found that pscp sent some data and then hung. Now I debug it, what
seems to have happened was that we were looping in sftp_recv() waiting
for an SFTP packet from the remote, but we didn't have any outstanding
SFTP requests that the remote was going to reply to. Checking further,
xfer_upload_ready() reported true, so we _could_ have sent something -
but the logic in the upload loop had a hole through which we managed
to get into 'waiting for a packet' state.

I think what must have happened is that xfer_upload_ready() reported
false so that we entered sftp_recv(), but then the event loop inside
sftp_recv() ran a toplevel callback that made xfer_upload_ready()
return true. So, the fix: sftp_recv() is our last-ditch fallback, and
we always try emptying our callback queue and rechecking upload_ready
before we resort to waiting for a remote packet.

This not only fixes the hang I observed: it also hugely improves the
upload speed. My guess is that the bug must have been preventing us
from filling our outgoing request pipeline a _lot_ - but I didn't
notice it until the one time the queue accidentally ended up empty,
rather than just sparse enough to make transfers slow.

Annoyingly, I actually considered this fix back when I was trying to
fix the proftpd issue mentioned in commit cd97b7e7e. I decided fixing
ssh_sendbuffer() was a better idea. In fact it would have been an even
better idea to do both! Oh well, better late than never.

(cherry picked from commit 3a633bed35)
2020-06-14 15:49:36 +01:00
Simon Tatham
ee8baee4fa Account for packet queues in ssh_sendbuffer().
Ever since I reworked the SSH code to have multiple internal packet
queues, there's been a long-standing FIXME in ssh_sendbuffer() saying
that we ought to include the data buffered in those queues as part of
reporting how much data is buffered on standard input.

Recently a user reported that 'proftpd', or rather its 'mod_sftp'
add-on that implements an SFTP-only SSH server, exposes a bug related
to that missing piece of code. The xfer_upload system in sftp.c starts
by pushing SFTP write messages into the SSH code for as long as
sftp_sendbuffer() (which ends up at ssh_sendbuffer()) reports that not
too much data is buffered locally. In fact what happens is that all
those messages end up on the packet queues between SSH protocol
layers, so they're not counted by sftp_sendbuffer(), so we just keep
going until there's some other reason to stop.

Usually the reason we stop is because we've filled up the SFTP
channel's SSH-layer window, so we need the server to send us a
WINDOW_ADJUST before we're allowed to send any more data. So we return
to the main event loop and start waiting for reply packets. And when
the window is moderate (e.g. OpenSSH currently seems to present about
2MB), this isn't really noticeable.

But proftpd presents the maximum-size window of 2^32-1 bytes, and as a
result we just keep shovelling more and more packets into the internal
packet queues until PSFTP has grown to 4GB in size, and only then do
we even return to the event loop and start actually sending them down
the network. Moreover, this happens again at rekey time, because while
a rekey is in progress, ssh2transport stops emptying the queue of
outgoing packets sent by its higher layer - so, again, everything just
keeps buffering up somewhere that sftp_sendbuffer can't see it.

But this commit fixes it! Each PacketProtocolLayer now provides a
vtable method for asking how much data it currently has queued. Most
of them share a default implementation which just returns the newly
added total_size field from their pq_out; the exception is
ssh2transport, which also has to account for data queued in its higher
layer. And ssh_sendbuffer() adds that on to the quantity it already
knew about in other locations, to give a more realistic idea of the
currently buffered data.

(cherry picked from commit cd97b7e7ea)
2020-02-09 08:51:37 +00:00
Simon Tatham
7c3778ad67 Track the total size of every PacketQueue.
The queue-node structure shared between PktIn and PktOut now has a
'formal_size' field, which is initialised appropriately by the various
packet constructors. And the PacketQueue structure has a 'total_size'
field which tracks the sum of the formal sizes of all the packets on
the queue, and is automatically updated by the push, pop and
concatenate functions.

No functional change, and nothing uses the new fields yet: this is
infrastructure that will be used in the next commit.

(cherry picked from commit 0ff13ae773)
2020-02-09 08:51:37 +00:00
Simon Tatham
35cc7b1cb6 userauth: fill in missing error path when agent goes away.
If the agent client code doesn't even manage to read a full response
message at all (for example, because the agent it's talking to is
Pageant running in debug mode and you just ^Ced it or it crashed,
which is what's been happening to me all afternoon), then previously,
the userauth code would loop back round to the top of the main loop
without having actually sent any request, so the client code would
deadlock waiting for a response to nothing.

(cherry picked from commit 563cb062b8)
2020-02-09 08:51:37 +00:00
Simon Tatham
6864bcddbb userauth: fix two small memory leaks.
Happened to notice these while I was testing the last few commits.

(cherry picked from commit 84fa07cfeb)
2020-02-09 08:51:37 +00:00
Simon Tatham
92c1f31569 cgtest: add missing \n in an error message.
(cherry picked from commit c25dc9c2fd)
2020-02-09 08:51:37 +00:00
Simon Tatham
414d35a508 Change PSCP's default protocol to SSH.
Apparently it's been set on Telnet for the entire lifetime of PSCP. It
can't have caused any trouble, or we'd have noticed by now, but it
still seems silly to set it to something that PSCP clearly can't
handle!

(cherry picked from commit 6f0adb243a)
2020-02-09 08:51:37 +00:00
Simon Tatham
fe732487ad Fix two accidental overwrites of 'flags'.
When I came to actually remove the global 'flags' word, I found that I
got compile failures in two functions that should never have been
accessing it at all, because they forgot to declare _local_ variables
of the same name. Yikes!

(Of course, _now_ that's harmless, because I've just removed all the
actual semantics from the global variable. But I'm about to remove the
variable too, so these bugs would become compile failures.)

(cherry picked from commit 33715c07e3)
2020-02-09 08:51:37 +00:00
Simon Tatham
5b09e4c250 Fix technical-UB uses of the preprocessor.
A recent test-compile at high warning level points out that if you
define a macro with a ... at the end of the parameter list, then every
call should at least include the comma before the variadic part. That
is, if you #define MACRO(x,y,...) then you shouldn't call MACRO(1,2)
with no comma after the 2. But that's what I had done in one of my
definitions of FUNC0 in the fiddly testcrypt system.

In a similar vein, it's a mistake to use the preprocessor 'defined'
operator when it's expanded from another macro. Adjusted the setup of
BB_OK in mpint_i.h to avoid doing that.

(Neither of these has yet caused a problem in any real compile, but
best to fix them before they do.)

(cherry picked from commit f40d31b5cc)
2020-02-09 08:51:37 +00:00
Simon Tatham
8c227b0cc0 Fix misdef of platform_get_x11_unix_address on Windows.
Similarly to the previous commit, this function had an inconsistent
parameter list between Unix and Windows, because the Windows source
file that defines it (winnet.c) didn't include ssh.h where its
prototype lives, so the compiler never checked.

Luckily, the discrepancy was that the Windows version of the function
was declared as taking an extra parameter which it ignored, so the fix
is very easy.

(cherry picked from commit b7f011aed7)
2020-02-09 08:51:37 +00:00
Simon Tatham
964058b5ef Make prototype for new_prompts() consistent.
In commit b4c8fd9d8 which introduced the Seat trait, I got a bit
confused about the prototype of new_prompts(). Previously it took a
'Frontend *' parameter; I edited the call sites to pass a 'Seat *'
instead, but the actual function definition takes no parameters at all
- and rightly so, because the 'Frontend *' inside the prompts_t has
been removed and _not_ replaced with a 'Seat *', so the constructor
would have nothing to do with such a thing anyway.

But I wrote the function declaration in putty.h with '()' rather than
'(void)' (too much time spent in C++), and so the compiler never
spotted the mismatch.

Now new_prompts() is consistently nullary everywhere it appears: the
prototype in the header is a proper (void) one, and the call sites
have been modified to not pointlessly give it a Seat or null pointer.

(cherry picked from commit d183484742)
2020-02-09 08:51:37 +00:00
Simon Tatham
e564a5f05d Fix a memory leak in ssh1_channel_close_local.
Leak Sanitiser was kind enough to point this out to me during testing
of the port forwarding rework: chan_log_close_msg() returns a
dynamically allocated char *, which the caller is supposed to free.

(cherry picked from commit 22350d7668)
2020-02-09 08:51:37 +00:00
Simon Tatham
f7a3280e27 Fix text name of hmac-sha1-96-buggy.
I carefully set up separate mechanisms for the "-96" suffix on the
hash name and the "bug-compatible" in parens after it, so that the
latter could share its parens with annotations from the underlying
hash. And then I forgot to _use_ the second mechanism!

Also added ssh2_mac_text_name to the testcrypt API so I could check it
easily. The result before this fix:

>>> ssh2_mac_text_name(ssh2_mac_new("hmac_sha1_96_buggy", None))
'HMAC-SHA-1-96 (bug-compatible) (unaccelerated)'

And after, which is what I intended all along:

>>> ssh2_mac_text_name(ssh2_mac_new("hmac_sha1_96_buggy", None))
'HMAC-SHA-1-96 (bug-compatible, unaccelerated)'

(cherry picked from commit 600bf247d3)
2020-02-09 08:51:37 +00:00
Simon Tatham
14c6ddca63 Fix misplaced parens in window.c.
This was pointed out as a compiler warning when I test-built with
up-to-date clang-cl. It looks as if it would cause the IDM_FULLSCREEN
item on the system menu to be wrongly greyed/ungreyed, but in fact I
think it's benign, because MF_BYCOMMAND == 0. So it's _just_ a
warning fix, luckily!

(cherry picked from commit 213723a718)
2020-02-09 08:51:37 +00:00
Simon Tatham
8453b9239c New wrapper macro for printf("%zu"), for old VS compat.
A user reports that Visual Studio 2013 and earlier have printf
implementations in their C library that don't support the 'z' modifier
to indicate that an integer argument is size_t. The 'I' modifier
apparently works in place of it.

To avoid littering ifdefs everywhere, I've invented my own inttypes.h
style macros to wrap size_t formatting directives, which are defined
to %zu and %zx normally, or %Iu and %Ix in old-VS mode. Those are in
defs.h, and they're used everywhere that a %z might otherwise get into
the Windows build.

(cherry picked from commit 82a7e8c4ac)
2020-02-09 08:51:37 +00:00
Simon Tatham
cb671ec2d8 Fix format string mistakes revealed by new checking.
An assortment of errors: int vs size_t confusion (probably undetected
since the big switchover in commit 0cda34c6f), some outright spurious
parameters after the format string (copy-paste errors), a particularly
silly one in pscp.c (a comma between two halves of what should have
been a single string literal), and a _missing_ format string in ssh.c
(but luckily in a context where the only text that would be wrongly
treated as a format string was error messages generated elsewhere in
PuTTY).

(cherry picked from commit 247866a9d3)
2020-02-09 08:51:37 +00:00
Simon Tatham
03f6e88385 Greatly improve printf format-string checking.
I've added the gcc-style attribute("printf") to a lot of printf-shaped
functions in this code base that didn't have it. To make that easier,
I moved the wrapping macro into defs.h, and also enabled it if we
detect the __clang__ macro as well as __GNU__ (hence, it will be used
when building for Windows using clang-cl).

The result is that a great many format strings in the code are now
checked by the compiler, where they were previously not. This causes
build failures, which I'll fix in the next commit.

(cherry picked from commit cbfba7a0e9)
2020-02-09 08:51:37 +00:00
Simon Tatham
45198e10c5 Update _MSC_VER translation table.
The entry for 19.0 which we included in advance of its listing on the
official page is now confirmed, and also three followup versions.

(cherry picked from commit 0a4e068ada)
2020-02-09 08:51:37 +00:00
Simon Tatham
97b39eeca3 Work around console I/O size limit on Windows 7.
A user reports that the ReadFile call in console_get_userpass_input
fails with ERROR_NOT_ENOUGH_MEMORY on Windows 7, and further reports
that this problem only happens if you tell ReadFile to read more than
31366 bytes in a single call.

That seems to be a thing that other people have found as well: I
turned up a similar workaround in Ruby's Win32 support module, except
that there it's for WriteConsole. So I'm reducing my arbitrary read
size of 64K to 16K, which is well under that limit.

This issue became noticeable in PuTTY as of the recent commit
cd6bc14f0, which reworked console_get_userpass_input to use strbufs.
Previously we were trying to read an amount proportional to the
existing size of the buffer, so as to grow the buffer exponentially to
save quadratic-time reallocation. That was OK in practice, since the
initial read size was nice and small. But in principle, the same bug
was present in that version of the code, just latent - if we'd ever
been called on to read a _really large_ amount of data, then
_eventually_ the input size parameter to ReadFile would have grown
beyond that mysterious limit!

(cherry picked from commit 7b79d22021)
2020-02-09 08:51:37 +00:00
Simon Tatham
0021ad352d Introduce and use strbuf_chomp.
Those chomp operations in wincons.c and uxcons.c looked ugly, and I'm
not totally convinced they couldn't underrun the buffer by 1 byte in
weird circumstances. strbuf_chomp is neater.

(cherry picked from commit 7590d0625b)
2020-02-09 08:51:37 +00:00
Simon Tatham
697cfa5b7f Use strbuf to store results in prompts_t.
UBsan pointed out another memcpy from NULL (again with length 0) in
the prompts_t system. When I looked at it, I realised that firstly
prompt_ensure_result_size was an early not-so-good implementation of
sgrowarray_nm that would benefit from being replaced with a call to
the real one, and secondly, the whole system for storing prompt
results should really have been replaced with strbufs with the no-move
option, because that's doing all the same jobs better.

So, now each prompt_t holds a strbuf in place of its previous manually
managed string. prompt_ensure_result_size is gone (the console
prompt-reading functions use strbuf_append, and everything else just
adds to the strbuf in the usual marshal.c way). New functions exist to
retrieve a prompt_t's result, either by reference or copied.

(cherry picked from commit cd6bc14f04)
2020-02-09 08:51:37 +00:00
Simon Tatham
34a0460f05 New functions to shrink a strbuf.
These are better than my previous approach of just assigning to
sb->len, because firstly they check by assertion that the new length
is within range, and secondly they preserve the invariant that the
byte stored in the buffer just after the length runs out is \0.

Switched to using the new functions everywhere a grep could turn up
opportunities.

(cherry picked from commit 5891142aee)
2020-02-09 08:51:37 +00:00
Simon Tatham
2c66217af8 Fix undefined behaviour in safegrowarray.
UBsan points out that if the input pointer is NULL, we'll pass it to
memcpy, which is technically illegal by the C standard _even_ if the
length you pass with it is zero.

(cherry picked from commit 88d5948ead)
2020-02-09 08:51:37 +00:00
Simon Tatham
ae84c959ac PuTTYgen: permit and prefer 255 as bit count for ed25519.
In setting up the ECC tests for cmdgen, I noticed that OpenSSH and
PuTTYgen disagree on the bit length to put in a key fingerprint for an
ed25519 key: we think 255, they think 256.

On reflection, I think 255 is more accurate, which is why I bodged
get_fp() in the test suite to ignore that difference when checking our
key fingerprint against OpenSSH's. But having done that, it now seems
silly that if you unnecessarily specify a bit count at ed25519
generation time, cmdgen will insist that it be 256!

255 is now permitted everywhere an ed25519 bit count is input. 256 is
also still allowed for backwards compatibility but 255 is preferred by
the error message if you give any other value.

(cherry picked from commit 187cc8bfcc)
2020-02-09 08:51:37 +00:00
Simon Tatham
e1344d6ca7 Fix ldisc_send() assertion in terminal answerback.
A user reports that if the ^E answerback string is configured to be
empty, then causing the answerback to be sent fails the assertion in
ldisc_send introduced in commit c269dd013.

I thought I'd caught all of the remaining cases of this in commit
4634cd47f, but apparently not.

(cherry picked from commit 43a63019f5)
2020-02-09 08:51:37 +00:00
Simon Tatham
7ccc368a57 New test script 'agenttest.py' for testing Pageant.
Well, actually, two new test programs. agenttest.py is the actual
test; it depends on agenttestgen.py which generates a collection of
test private keys, using the newly exposed testcrypt interface to our
key generation code.

In this commit I've also factored out some Python SSH marshalling code
from cryptsuite, and moved it into a module ssh.py which the agent
tests can reuse.

(cherry picked from commit 8c7b0a787f)
2020-02-09 08:51:37 +00:00
Simon Tatham
3b1f458a0d testcrypt: add return_val_string_asciz_const.
A partial cherry-pick of commit 5cfc90ff0d
keeping just the one function I need on this branch.
2020-02-09 08:51:37 +00:00
Simon Tatham
d51b3d7eb6 Add BinarySource_REWIND_TO.
A partial cherry-pick of commit 32d61d7c48
omitting the parts that aren't needed on this branch.
2020-02-09 08:21:21 +00:00