diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2020-02-18 09:58:33 +0100 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2020-02-18 10:23:25 +0100 |
commit | 264a966216137c9f4f8220fd9142242d784ba059 (patch) | |
tree | 287b1b3a451a09bef465eafb22cb562d3605fdeb /ssh-add.c | |
parent | upstream: Detect and prevent simple configuration loops when using (diff) | |
download | openssh-264a966216137c9f4f8220fd9142242d784ba059.tar.xz openssh-264a966216137c9f4f8220fd9142242d784ba059.zip |
upstream: Ensure that the key lifetime provided fits within the
values allowed by the wire format (u32). Prevents integer wraparound of the
timeout values. bz#3119, ok markus@ djm@
OpenBSD-Commit-ID: 8afe6038b5cdfcf63360788f012a7ad81acc46a2
Diffstat (limited to '')
-rw-r--r-- | ssh-add.c | 13 |
1 files changed, 7 insertions, 6 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.152 2020/02/06 22:30:54 naddy Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.153 2020/02/18 08:58:33 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -90,7 +90,7 @@ static char *default_files[] = { static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Default lifetime (0 == forever) */ -static int lifetime = 0; +static long lifetime = 0; /* User has to confirm key use */ static int confirm = 0; @@ -328,7 +328,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, filename, comment); if (lifetime != 0) { fprintf(stderr, - "Lifetime set to %d seconds\n", lifetime); + "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { fprintf(stderr, "The user must confirm " @@ -384,7 +384,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, fprintf(stderr, "Certificate added: %s (%s)\n", certpath, private->cert->key_id); if (lifetime != 0) { - fprintf(stderr, "Lifetime set to %d seconds\n", + fprintf(stderr, "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { @@ -571,7 +571,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag) sshkey_type(keys[i]), fp); if (lifetime != 0) { fprintf(stderr, - "Lifetime set to %d seconds\n", lifetime); + "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { fprintf(stderr, "The user must confirm " @@ -720,7 +720,8 @@ main(int argc, char **argv) pkcs11provider = optarg; break; case 't': - if ((lifetime = convtime(optarg)) == -1) { + if ((lifetime = convtime(optarg)) == -1 || + lifetime < 0 || lifetime > UINT32_MAX) { fprintf(stderr, "Invalid lifetime\n"); ret = 1; goto done; |