return early if fread() response is bool(false)

phpseclib · Feb 1, 2020 · c2be7e6 · liborm85 · Feb 4, 2020 · terrafrost
1 parent 500e322
commit c2be7e6
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 10 deletions.
diff --git a/phpseclib/Crypt/Random.php b/phpseclib/Crypt/Random.php
@@ -105,7 +105,10 @@ function crypt_random_string($length)
                 $fp = @fopen('/dev/urandom', 'rb');
             }
             if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource()
-                return fread($fp, $length);
+                $temp = fread($fp, $length);
+                if (strlen($temp) != $length) {
+                    return $temp;
+                }
             }
             // method 3. pretty much does the same thing as method 2 per the following url:
             // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391

diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
@@ -2218,7 +2218,11 @@ function _fetchURL($url)
                 }
 
                 while (!feof($fsock)) {
-                    $data.= fread($fsock, 1024);
+                    $temp = fread($fsock, 1024);
+                    if ($temp === false) {
+                        return false;
+                    }
+                    $data.= $temp;
                 }
 
                 break;

diff --git a/phpseclib/Net/SSH1.php b/phpseclib/Net/SSH1.php
@@ -1169,6 +1169,9 @@ function _get_binary_packet()
 
         while ($length > 0) {
             $temp = fread($this->fsock, $length);
+            if (stlren($temp) != $length) {
+                return false;
+            }
             $raw.= $temp;
             $length-= strlen($temp);
         }

diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
@@ -1252,7 +1252,11 @@ function _connect()
                 $elapsed = strtok(microtime(), ' ') + strtok('') - $start;
                 $this->curTimeout-= $elapsed;
             }
-            $temp.= fgets($this->fsock, 255);
+            $subtemp = fgets($this->fsock, 255);
+            if ($subtemp === '' || $subtemp === false) {
+                return false;
+            }
+            $temp.= $subtemp;
         }
 
         if (feof($this->fsock)) {

diff --git a/phpseclib/System/SSH/Agent.php b/phpseclib/System/SSH/Agent.php
@@ -263,22 +263,35 @@ function sign($message)
         $packet = pack('Na*', strlen($packet), $packet);
         if (strlen($packet) != fputs($this->fsock, $packet)) {
             user_error('Connection closed during signing');
+            return false;
         }
 
-        $length = current(unpack('N', fread($this->fsock, 4)));
+        $temp = fread($this->fsock, 4);
+        if (strlen($temp) != 4) {
+            user_error('Connection closed during signing');
+            return false;
+        }
+        $length = current(unpack('N', $temp));
         $type = ord(fread($this->fsock, 1));
         if ($type != SYSTEM_SSH_AGENT_SIGN_RESPONSE) {
             user_error('Unable to retreive signature');
+            return false;
         }
 
         $signature_blob = fread($this->fsock, $length - 1);
+        if (strlen($signature_blob) != $length - 1) {
+            user_error('Connection closed during signing');
+            return false;
+        }
         $length = current(unpack('N', $this->_string_shift($signature_blob, 4)));
         if ($length != strlen($signature_blob)) {
             user_error('Malformed signature blob');
+            return false;
         }
         $length = current(unpack('N', $this->_string_shift($signature_blob, 4)));
         if ($length > strlen($signature_blob) + 4) {
             user_error('Malformed signature blob');
+            return false;
         }
         $type = $this->_string_shift($signature_blob, $length);
         $this->_string_shift($signature_blob, 4);
@@ -406,22 +419,51 @@ function requestIdentities()
             return array();
         }
 
-        $length = current(unpack('N', fread($this->fsock, 4)));
+        $temp = fread($this->fsock, 4);
+        if (strlen($temp) != 4) {
+            user_error('Connection closed while requesting identities');
+            return array();
+        }
+        $length = current(unpack('N', $temp));
         $type = ord(fread($this->fsock, 1));
         if ($type != SYSTEM_SSH_AGENT_IDENTITIES_ANSWER) {
             user_error('Unable to request identities');
             return array();
         }
 
         $identities = array();
-        $keyCount = current(unpack('N', fread($this->fsock, 4)));
+        $temp = fread($this->fsock, 4);
+        if (strlen($temp) != 4) {
+            user_error('Connection closed while requesting identities');
+            return array();
+        }
+        $keyCount = current(unpack('N', $temp));
         for ($i = 0; $i < $keyCount; $i++) {
-            $length = current(unpack('N', fread($this->fsock, 4)));
+            $temp = fread($this->fsock, 4);
+            if (strlen($temp) != 4) {
+                user_error('Connection closed while requesting identities');
+                return array();
+            }
+            $length = current(unpack('N', $temp));
             $key_blob = fread($this->fsock, $length);
+            if (strlen($key_blob) != $length) {
+                user_error('Connection closed while requesting identities');
+                return array();
+            }
             $key_str = 'ssh-rsa ' . base64_encode($key_blob);
-            $length = current(unpack('N', fread($this->fsock, 4)));
+            $temp = fread($this->fsock, 4);
+            if (strlen($temp) != 4) {
+                user_error('Connection closed while requesting identities');
+                return array();
+            }
+            $length = current(unpack('N', $temp));
             if ($length) {
-                $key_str.= ' ' . fread($this->fsock, $length);
+                $temp = fread($this->fsock, $length);
+                if (strlen($temp) != $length) {
+                    user_error('Connection closed while requesting identities');
+                    return array();
+                }
+                $key_str.= ' ' . $temp;
             }
             $length = current(unpack('N', substr($key_blob, 0, 4)));
             $key_type = substr($key_blob, 4, $length);
@@ -546,14 +588,24 @@ function _forward_data($data)
 
         if (strlen($this->socket_buffer) != fwrite($this->fsock, $this->socket_buffer)) {
             user_error('Connection closed attempting to forward data to SSH agent');
+            return false;
         }
 
         $this->socket_buffer = '';
         $this->expected_bytes = 0;
 
-        $agent_reply_bytes = current(unpack('N', fread($this->fsock, 4)));
+        $temp = fread($this->fsock, 4);
+        if (strlen($temp) != 4) {
+            user_error('Connection closed while reading data response');
+            return false;
+        }
+        $agent_reply_bytes = current(unpack('N', $temp));
 
         $agent_reply_data = fread($this->fsock, $agent_reply_bytes);
+        if (strlen($agent_reply_data) != $agent_reply_bytes) {
+            user_error('Connection closed while reading data response');
+            return false;
+        }
         $agent_reply_data = current(unpack('a*', $agent_reply_data));
 
         return pack('Na*', $agent_reply_bytes, $agent_reply_data);