svnno****@sourc*****
svnno****@sourc*****
2017年 5月 11日 (木) 13:29:25 JST
Revision: 6711 http://sourceforge.jp/projects/ttssh2/scm/svn/commits/6711 Author: doda Date: 2017-05-11 13:29:25 +0900 (Thu, 11 May 2017) Log Message: ----------- バッファサイズ関連を unsigned へ変更 INT32_MAX より大きい値を扱う時に比較が正しく行われないのを回避する為に変更。 サーバ側より極端に大きい(異常な)値を正しくはじくのが目的。 演算でのオーバーフローの考慮はちゃんと行う必要があるので、別途チェックを強化する。 Modified Paths: -------------- trunk/ttssh2/ttxssh/buffer.c trunk/ttssh2/ttxssh/buffer.h trunk/ttssh2/ttxssh/keyfiles.c -------------- next part -------------- Modified: trunk/ttssh2/ttxssh/buffer.c =================================================================== --- trunk/ttssh2/ttxssh/buffer.c 2017-05-11 04:29:22 UTC (rev 6710) +++ trunk/ttssh2/ttxssh/buffer.c 2017-05-11 04:29:25 UTC (rev 6711) @@ -28,7 +28,7 @@ { void *ptr; buffer_t *buf; - int size = 4096; + unsigned int size = 4096; buf = malloc(sizeof(buffer_t)); ptr = malloc(size); @@ -60,11 +60,10 @@ // \x83o\x83b\x83t\x83@\x82̗̈\xE6\x8Ag\x92\xA3\x82\xF0\x8Ds\x82\xA4\x81B // return: \x8Ag\x92\xA3\x91O\x82̃o\x83b\x83t\x83@\x83|\x83C\x83\x93\x83^\x81[ -void *buffer_append_space(buffer_t * buf, int size) +void *buffer_append_space(buffer_t * buf, size_t size) { - int n; - int ret = -1; - int newlen; + unsigned int n; + unsigned int newlen; void *p; n = buf->offset + size; @@ -90,8 +89,8 @@ panic: { - char *p = NULL; - *p = 0; // application fault + char *p = NULL; + *p = 0; // application fault } return (NULL); } @@ -98,9 +97,9 @@ int buffer_append(buffer_t * buf, char *ptr, int size) { - int n; + unsigned int n; int ret = -1; - int newlen; + unsigned int newlen; for (;;) { n = buf->offset + size; @@ -158,11 +157,11 @@ ret = buffer_append(msg, ptr, size); } -int buffer_get_ret(buffer_t *msg, void *buf, int len) +int buffer_get_ret(buffer_t *msg, void *buf, size_t len) { if (len > msg->len - msg->offset) { // TODO: \x83G\x83\x89\x81[\x8F\x88\x97\x9D - OutputDebugPrintf("buffer_get_ret: trying to get more bytes %d than in buffer %d", + OutputDebugPrintf("buffer_get_ret: trying to get more bytes %u than in buffer %u", len, msg->len - msg->offset); return (-1); } @@ -171,7 +170,7 @@ return (0); } -int buffer_get_int_ret(int *ret, buffer_t *msg) +int buffer_get_int_ret(unsigned int *ret, buffer_t *msg) { unsigned char buf[4]; @@ -182,13 +181,13 @@ return (0); } -int buffer_get_int(buffer_t *msg) +unsigned int buffer_get_int(buffer_t *msg) { - int ret = -1; + unsigned int ret = 0; if (buffer_get_int_ret(&ret, msg) == -1) { // TODO: \x83G\x83\x89\x81[\x8F\x88\x97\x9D - OutputDebugPrintf("buffer_get_int: buffer error"); + logprintf(NULL, LOG_LEVEL_ERROR, "buffer_get_int: buffer error"); } return (ret); } @@ -435,7 +434,7 @@ void buffer_get_bignum_SECSH(buffer_t *buffer, BIGNUM *value) { char *buf; - int bits, bytes; + unsigned int bits, bytes; bits = buffer_get_int(buffer); bytes = (bits + 7) / 8; @@ -531,7 +530,7 @@ } // \x83o\x83b\x83t\x83@\x82̃I\x83t\x83Z\x83b\x83g\x82\xF0\x90i\x82߂\xE9\x81B -void buffer_consume(buffer_t *buf, int shift_byte) +void buffer_consume(buffer_t *buf, size_t shift_byte) { if (shift_byte > buf->len - buf->offset) { // TODO: fatal error @@ -542,7 +541,7 @@ } // \x83o\x83b\x83t\x83@\x82̖\x96\x94\xF6\x82\xF0\x8Fk\x91ނ\xB7\x82\xE9\x81B -void buffer_consume_end(buffer_t *buf, int shift_byte) +void buffer_consume_end(buffer_t *buf, size_t shift_byte) { if (shift_byte > buf->len - buf->offset) { // TODO: fatal error Modified: trunk/ttssh2/ttxssh/buffer.h =================================================================== --- trunk/ttssh2/ttxssh/buffer.h 2017-05-11 04:29:22 UTC (rev 6710) +++ trunk/ttssh2/ttxssh/buffer.h 2017-05-11 04:29:25 UTC (rev 6711) @@ -7,9 +7,9 @@ typedef struct buffer { char *buf; /* \x83o\x83b\x83t\x83@\x82̐擪\x83|\x83C\x83\x93\x83^\x81Brealloc()\x82ɂ\xE6\x82\xE8\x95ϓ\xAE\x82\xB7\x82\xE9\x81B*/ - int offset; /* \x8C\xBB\x8D݂̓ǂݏo\x82\xB5\x88ʒu */ - int maxlen; /* \x83o\x83b\x83t\x83@\x82̍ő\xE5\x83T\x83C\x83Y */ - int len; /* \x83o\x83b\x83t\x83@\x82Ɋ܂܂\xEA\x82\xE9\x97L\x8C\xF8\x82ȃf\x81[\x83^\x83T\x83C\x83Y */ + size_t offset; /* \x8C\xBB\x8D݂̓ǂݏo\x82\xB5\x88ʒu */ + size_t maxlen; /* \x83o\x83b\x83t\x83@\x82̍ő\xE5\x83T\x83C\x83Y */ + size_t len; /* \x83o\x83b\x83t\x83@\x82Ɋ܂܂\xEA\x82\xE9\x97L\x8C\xF8\x82ȃf\x81[\x83^\x83T\x83C\x83Y */ } buffer_t; /* buffer_t.buf \x82̊g\x92\xA3\x82̏\xE3\x8C\xC0\x92l (16MB) */ @@ -20,7 +20,7 @@ void buffer_clear(buffer_t *buf); buffer_t *buffer_init(void); void buffer_free(buffer_t *buf); -void *buffer_append_space(buffer_t * buf, int size); +void *buffer_append_space(buffer_t * buf, size_t size); int buffer_append(buffer_t *buf, char *ptr, int size); int buffer_append_length(buffer_t *msg, char *ptr, int size); void buffer_put_raw(buffer_t *msg, char *ptr, int size); @@ -42,13 +42,13 @@ void buffer_get_ecpoint_msg(buffer_t *msg, const EC_GROUP *curve, EC_POINT *point); char *buffer_tail_ptr(buffer_t *msg); int buffer_overflow_verify(buffer_t *msg, int len); -void buffer_consume(buffer_t *buf, int shift_byte); -void buffer_consume_end(buffer_t *buf, int shift_byte); +void buffer_consume(buffer_t *buf, size_t shift_byte); +void buffer_consume_end(buffer_t *buf, size_t shift_byte); int buffer_compress(z_stream *zstream, char *payload, int len, buffer_t *compbuf); int buffer_decompress(z_stream *zstream, char *payload, int len, buffer_t *compbuf); -int buffer_get_ret(buffer_t *msg, void *buf, int len); -int buffer_get_int_ret(int *ret, buffer_t *msg); -int buffer_get_int(buffer_t *msg); +int buffer_get_ret(buffer_t *msg, void *buf, size_t len); +int buffer_get_int_ret(unsigned int *ret, buffer_t *msg); +unsigned int buffer_get_int(buffer_t *msg); int buffer_get_char_ret(char *ret, buffer_t *msg); int buffer_get_char(buffer_t *msg); void buffer_rewind(buffer_t *buf); Modified: trunk/ttssh2/ttxssh/keyfiles.c =================================================================== --- trunk/ttssh2/ttxssh/keyfiles.c 2017-05-11 04:29:22 UTC (rev 6710) +++ trunk/ttssh2/ttxssh/keyfiles.c 2017-05-11 04:29:25 UTC (rev 6711) @@ -1189,7 +1189,8 @@ { Key *result = NULL; unsigned long err = 0; - int i, len, len2; + int i, len2; + unsigned int len; int encflag; char *encname = NULL; buffer_t *blob = NULL, *blob2 = NULL; @@ -1266,7 +1267,7 @@ goto error; } len = buffer_get_int(blob); - if (len <= 0 || len > blob->len) { + if (len == 0 || len > blob->len) { strncpy_s(errmsg, errmsg_len, "body size error", _TRUNCATE); goto error; }