Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplified _libssh2_check_length #350

Merged
merged 2 commits into from Apr 5, 2019

Conversation

@willco007
Copy link
Member

commented Apr 3, 2019

misc.c : _libssh2_check_length()

Removed cast and one-lined check.

Credit : Yuriy M. Kaminskiy

Simplified _libssh2_check_length
misc.c : _libssh2_check_length()

Removed cast and one-lined check. 

Credit : Yuriy M. Kaminskiy
src/misc.c Outdated
return 0;

return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;
return (len <= (size_t)((buf->data + buf->len) - buf->dataptr));

This comment has been minimized.

Copy link
@kdudka

kdudka Apr 4, 2019

Contributor

This weakens the check in case buf->dataptr is already behind buf->data + buf->len because when ((buf->data + buf->len) - buf->dataptr) is negative, the conversion to size_t turns it into a big positive number.

This comment has been minimized.

Copy link
@willco007

willco007 Apr 4, 2019

Author Member

It theoretically does, but dataptr should be greater than or equal to data if the API is used correctly (famous last words, I know). Also, in the original case if dataptr was less than data it would be a negative number which would be less than the test and incorrectly return true, which is also bad. Furthermore, the cast to a signed value from unsigned isn't great and could loose precision.

This comment has been minimized.

Copy link
@bagder

bagder Apr 4, 2019

Member

I think the expression could be split up in several parts to become more readable and then the logic is easier to follow and confirm. Something like:

 char *endp = &buf->data[buf->len];
 size_t left = endp - buf->dataptr;
 return (len <= left);

it could even protect against the wrap-around case @kdudka mentioned:

 char *endp = &buf->data[buf->len];
 size_t left = endp - buf->dataptr;
 return ((len <= left) && (left <= buf->len));

This comment has been minimized.

Copy link
@willco007

willco007 Apr 4, 2019

Author Member

Looks good to me. I'll go ahead and make the change to @bagder's last suggestion.

Updated _libssh2_check_length()
Updated suggested patch to protect against incorrect usage which could cause a wrap-around value to return success.

@willco007 willco007 requested a review from kdudka Apr 4, 2019

@kdudka

kdudka approved these changes Apr 5, 2019

Copy link
Contributor

left a comment

Looks good.

@willco007 willco007 merged commit ff1b155 into master Apr 5, 2019

18 checks passed

buildbot/libssh2_wincng_cross_x64 Build done.
Details
buildbot/libssh2_wincng_cross_x64_dbg Build done.
Details
buildbot/libssh2_wincng_cross_x86 Build done.
Details
buildbot/libssh2_wincng_cross_x86_dbg Build done.
Details
buildbot/libssh2_wincng_mingw_w64_x64 Build done.
Details
buildbot/libssh2_wincng_mingw_w64_x64_dbg Build done.
Details
buildbot/libssh2_wincng_mingw_w64_x86 Build done.
Details
buildbot/libssh2_wincng_mingw_w64_x86_dbg Build done.
Details
buildbot/libssh2_wincng_mingw_x86 Build done.
Details
buildbot/libssh2_wincng_mingw_x86_dbg Build done.
Details
buildbot/libssh2_wincng_msys2_mingw32 Build done.
Details
buildbot/libssh2_wincng_msys2_mingw32_dbg Build done.
Details
buildbot/libssh2_wincng_msys2_mingw32_stc Build done.
Details
buildbot/libssh2_wincng_msys2_mingw64 Build done.
Details
buildbot/libssh2_wincng_msys2_mingw64_dbg Build done.
Details
buildbot/libssh2_wincng_msys2_mingw64_stc Build done.
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@willco007 willco007 deleted the willco007-patch-1 branch Apr 5, 2019

doorsdown added a commit to doorsdown/libssh2 that referenced this pull request Apr 17, 2019

Simplified _libssh2_check_length (libssh2#350)
* Simplified _libssh2_check_length

misc.c : _libssh2_check_length()

Removed cast and improved bounds checking and format.

Credit : Yuriy M. Kaminskiy
@carnil

This comment has been minimized.

Copy link

commented Jul 17, 2019

https://blog.semmle.com/libssh2-integer-overflow/ is related to this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.