summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2024-10-18 07:03:34 +0200
committerDamien Miller <djm@mindrot.org>2024-10-18 07:04:16 +0200
commitd01ee7a88c5f4b1aa8c75a7c739f8f3bc1ad8bde (patch)
tree55ccd353cbff7828f374bb5631ae7af1cfef0c06
parentupstream: remove addr.[ch] functions that are unused and (diff)
downloadopenssh-d01ee7a88c5f4b1aa8c75a7c739f8f3bc1ad8bde.tar.xz
openssh-d01ee7a88c5f4b1aa8c75a7c739f8f3bc1ad8bde.zip
upstream: require control-escape character sequences passed via the '-e
^x' commandline to be exactly two characters long. Avoids one by OOB read if ssh is invoked as "ssh -e^ ..." Spotted by Maciej Domanski in GHPR368 OpenBSD-Commit-ID: baa72bc60898fc5639e6c62de7493a202c95823d
-rw-r--r--ssh.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/ssh.c b/ssh.c
index 0019281f4..112845bea 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.600 2024/01/11 01:45:36 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.601 2024/10/18 05:03:34 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -965,7 +965,7 @@ main(int ac, char **av)
options.log_level = SYSLOG_LEVEL_QUIET;
break;
case 'e':
- if (optarg[0] == '^' && optarg[2] == 0 &&
+ if (strlen(optarg) == 2 && optarg[0] == '^' &&
(u_char) optarg[1] >= 64 &&
(u_char) optarg[1] < 128)
options.escape_char = (u_char) optarg[1] & 31;