• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Dropbear SSH
3  *
4  * Copyright (c) 2002,2003 Matt Johnston
5  * All rights reserved.
6  *
7  * Permission is hereby granted, free of charge, to any person obtaining a copy
8  * of this software and associated documentation files (the "Software"), to deal
9  * in the Software without restriction, including without limitation the rights
10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11  * copies of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be included in
15  * all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23  * SOFTWARE. */
24 
25 /* Buffer handling routines, designed to avoid overflows/using invalid data */
26 
27 #include "includes.h"
28 #include "dbutil.h"
29 #include "buffer.h"
30 
31 /* Prevent integer overflows when incrementing buffer position/length.
32  * Calling functions should check arguments first, but this provides a
33  * backstop */
34 #define BUF_MAX_INCR 1000000000
35 #define BUF_MAX_SIZE 1000000000
36 
37 /* avoid excessively large numbers, > ~8192 bits */
38 #define BUF_MAX_MPINT (8240 / 8)
39 
40 /* Create (malloc) a new buffer of size */
buf_new(unsigned int size)41 buffer* buf_new(unsigned int size) {
42 
43 	buffer* buf;
44 
45 	if (size > BUF_MAX_SIZE) {
46 		dropbear_exit("buf->size too big");
47 	}
48 
49 	buf = (buffer*)m_malloc(sizeof(buffer));
50 
51 	if (size > 0) {
52 		buf->data = (unsigned char*)m_malloc(size);
53 	} else {
54 		buf->data = NULL;
55 	}
56 
57 	buf->size = size;
58 	buf->pos = 0;
59 	buf->len = 0;
60 
61 	return buf;
62 
63 }
64 
65 /* free the buffer's data and the buffer itself */
buf_free(buffer * buf)66 void buf_free(buffer* buf) {
67 
68 	m_free(buf->data)
69 	m_free(buf);
70 }
71 
72 /* overwrite the contents of the buffer to clear it */
buf_burn(buffer * buf)73 void buf_burn(buffer* buf) {
74 
75 	m_burn(buf->data, buf->size);
76 
77 }
78 
79 /* resize a buffer, pos and len will be repositioned if required when
80  * downsizing */
buf_resize(buffer * buf,unsigned int newsize)81 void buf_resize(buffer *buf, unsigned int newsize) {
82 
83 	if (newsize > BUF_MAX_SIZE) {
84 		dropbear_exit("buf->size too big");
85 	}
86 
87 	buf->data = m_realloc(buf->data, newsize);
88 	buf->size = newsize;
89 	buf->len = MIN(newsize, buf->len);
90 	buf->pos = MIN(newsize, buf->pos);
91 
92 }
93 
94 /* Create a copy of buf, allocating required memory etc. */
95 /* The new buffer is sized the same as the length of the source buffer. */
buf_newcopy(buffer * buf)96 buffer* buf_newcopy(buffer* buf) {
97 
98 	buffer* ret;
99 
100 	ret = buf_new(buf->len);
101 	ret->len = buf->len;
102 	memcpy(ret->data, buf->data, buf->len);
103 	return ret;
104 }
105 
106 /* Set the length of the buffer */
buf_setlen(buffer * buf,unsigned int len)107 void buf_setlen(buffer* buf, unsigned int len) {
108 	if (len > buf->size) {
109 		dropbear_exit("bad buf_setlen");
110 	}
111 	buf->len = len;
112 }
113 
114 /* Increment the length of the buffer */
buf_incrlen(buffer * buf,unsigned int incr)115 void buf_incrlen(buffer* buf, unsigned int incr) {
116 	if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
117 		dropbear_exit("bad buf_incrlen");
118 	}
119 	buf->len += incr;
120 }
121 /* Set the position of the buffer */
buf_setpos(buffer * buf,unsigned int pos)122 void buf_setpos(buffer* buf, unsigned int pos) {
123 
124 	if (pos > buf->len) {
125 		dropbear_exit("bad buf_setpos");
126 	}
127 	buf->pos = pos;
128 }
129 
130 /* increment the postion by incr, increasing the buffer length if required */
buf_incrwritepos(buffer * buf,unsigned int incr)131 void buf_incrwritepos(buffer* buf, unsigned int incr) {
132 	if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
133 		dropbear_exit("bad buf_incrwritepos");
134 	}
135 	buf->pos += incr;
136 	if (buf->pos > buf->len) {
137 		buf->len = buf->pos;
138 	}
139 }
140 
141 /* increment the position by incr, negative values are allowed, to
142  * decrement the pos*/
buf_incrpos(buffer * buf,int incr)143 void buf_incrpos(buffer* buf,  int incr) {
144 	if (incr > BUF_MAX_INCR ||
145 			(unsigned int)((int)buf->pos + incr) > buf->len
146 			|| ((int)buf->pos + incr) < 0) {
147 		dropbear_exit("bad buf_incrpos");
148 	}
149 	buf->pos += incr;
150 }
151 
152 /* Get a byte from the buffer and increment the pos */
buf_getbyte(buffer * buf)153 unsigned char buf_getbyte(buffer* buf) {
154 
155 	/* This check is really just ==, but the >= allows us to check for the
156 	 * bad case of pos > len, which should _never_ happen. */
157 	if (buf->pos >= buf->len) {
158 		dropbear_exit("bad buf_getbyte");
159 	}
160 	return buf->data[buf->pos++];
161 }
162 
163 /* Get a bool from the buffer and increment the pos */
buf_getbool(buffer * buf)164 unsigned char buf_getbool(buffer* buf) {
165 
166 	unsigned char b;
167 	b = buf_getbyte(buf);
168 	if (b != 0)
169 		b = 1;
170 	return b;
171 }
172 
173 /* put a byte, incrementing the length if required */
buf_putbyte(buffer * buf,unsigned char val)174 void buf_putbyte(buffer* buf, unsigned char val) {
175 
176 	if (buf->pos >= buf->len) {
177 		buf_incrlen(buf, 1);
178 	}
179 	buf->data[buf->pos] = val;
180 	buf->pos++;
181 }
182 
183 /* returns an in-place pointer to the buffer, checking that
184  * the next len bytes from that position can be used */
buf_getptr(buffer * buf,unsigned int len)185 unsigned char* buf_getptr(buffer* buf, unsigned int len) {
186 
187 	if (buf->pos + len > buf->len) {
188 		dropbear_exit("bad buf_getptr");
189 	}
190 	return &buf->data[buf->pos];
191 }
192 
193 /* like buf_getptr, but checks against total size, not used length.
194  * This allows writing past the used length, but not past the size */
buf_getwriteptr(buffer * buf,unsigned int len)195 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
196 
197 	if (buf->pos + len > buf->size) {
198 		dropbear_exit("bad buf_getwriteptr");
199 	}
200 	return &buf->data[buf->pos];
201 }
202 
203 /* Return a null-terminated string, it is malloced, so must be free()ed
204  * Note that the string isn't checked for null bytes, hence the retlen
205  * may be longer than what is returned by strlen */
buf_getstring(buffer * buf,unsigned int * retlen)206 unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
207 
208 	unsigned int len;
209 	unsigned char* ret;
210 	len = buf_getint(buf);
211 	if (len > MAX_STRING_LEN) {
212 		dropbear_exit("string too long");
213 	}
214 
215 	if (retlen != NULL) {
216 		*retlen = len;
217 	}
218 	ret = m_malloc(len+1);
219 	memcpy(ret, buf_getptr(buf, len), len);
220 	buf_incrpos(buf, len);
221 	ret[len] = '\0';
222 
223 	return ret;
224 }
225 
226 /* Just increment the buffer position the same as if we'd used buf_getstring,
227  * but don't bother copying/malloc()ing for it */
buf_eatstring(buffer * buf)228 void buf_eatstring(buffer *buf) {
229 
230 	buf_incrpos( buf, buf_getint(buf) );
231 }
232 
233 /* Get an uint32 from the buffer and increment the pos */
buf_getint(buffer * buf)234 unsigned int buf_getint(buffer* buf) {
235 	unsigned int ret;
236 
237 	LOAD32H(ret, buf_getptr(buf, 4));
238 	buf_incrpos(buf, 4);
239 	return ret;
240 }
241 
242 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */
buf_putint(buffer * buf,int unsigned val)243 void buf_putint(buffer* buf, int unsigned val) {
244 
245 	STORE32H(val, buf_getwriteptr(buf, 4));
246 	buf_incrwritepos(buf, 4);
247 
248 }
249 
250 /* put a SSH style string into the buffer, increasing buffer len if required */
buf_putstring(buffer * buf,const unsigned char * str,unsigned int len)251 void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
252 
253 	buf_putint(buf, len);
254 	buf_putbytes(buf, str, len);
255 
256 }
257 
258 /* put the set of len bytes into the buffer, incrementing the pos, increasing
259  * len if required */
buf_putbytes(buffer * buf,const unsigned char * bytes,unsigned int len)260 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
261 	memcpy(buf_getwriteptr(buf, len), bytes, len);
262 	buf_incrwritepos(buf, len);
263 }
264 
265 
266 /* for our purposes we only need positive (or 0) numbers, so will
267  * fail if we get negative numbers */
buf_putmpint(buffer * buf,mp_int * mp)268 void buf_putmpint(buffer* buf, mp_int * mp) {
269 
270 	unsigned int len, pad = 0;
271 	TRACE(("enter buf_putmpint"))
272 
273 	dropbear_assert(mp != NULL);
274 
275 	if (SIGN(mp) == MP_NEG) {
276 		dropbear_exit("negative bignum");
277 	}
278 
279 	/* zero check */
280 	if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
281 		len = 0;
282 	} else {
283 		/* SSH spec requires padding for mpints with the MSB set, this code
284 		 * implements it */
285 		len = mp_count_bits(mp);
286 		/* if the top bit of MSB is set, we need to pad */
287 		pad = (len%8 == 0) ? 1 : 0;
288 		len = len / 8 + 1; /* don't worry about rounding, we need it for
289 							  padding anyway when len%8 == 0 */
290 
291 	}
292 
293 	/* store the length */
294 	buf_putint(buf, len);
295 
296 	/* store the actual value */
297 	if (len > 0) {
298 		if (pad) {
299 			buf_putbyte(buf, 0x00);
300 		}
301 		if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
302 			dropbear_exit("mpint error");
303 		}
304 		buf_incrwritepos(buf, len-pad);
305 	}
306 
307 	TRACE(("leave buf_putmpint"))
308 }
309 
310 /* Retrieve an mp_int from the buffer.
311  * Will fail for -ve since they shouldn't be required here.
312  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
buf_getmpint(buffer * buf,mp_int * mp)313 int buf_getmpint(buffer* buf, mp_int* mp) {
314 
315 	unsigned int len;
316 	len = buf_getint(buf);
317 
318 	if (len == 0) {
319 		mp_zero(mp);
320 		return DROPBEAR_SUCCESS;
321 	}
322 
323 	if (len > BUF_MAX_MPINT) {
324 		return DROPBEAR_FAILURE;
325 	}
326 
327 	/* check for negative */
328 	if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
329 		return DROPBEAR_FAILURE;
330 	}
331 
332 	if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
333 		return DROPBEAR_FAILURE;
334 	}
335 
336 	buf_incrpos(buf, len);
337 	return DROPBEAR_SUCCESS;
338 }
339