rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/openssh-6.6p1-CVE-2016-3115.patch

69acbb
diff --git a/session.c b/session.c
69acbb
index 9a75c62..4859245 100644
69acbb
--- a/session.c
69acbb
+++ b/session.c
69acbb
@@ -46,6 +46,7 @@
69acbb
 
69acbb
 #include <arpa/inet.h>
69acbb
 
69acbb
+#include <ctype.h>
69acbb
 #include <errno.h>
69acbb
 #include <fcntl.h>
69acbb
 #include <grp.h>
69acbb
@@ -292,6 +293,21 @@ do_authenticated(Authctxt *authctxt)
69acbb
 	do_cleanup(authctxt);
69acbb
 }
69acbb
 
69acbb
+/* Check untrusted xauth strings for metacharacters */
69acbb
+static int
69acbb
+xauth_valid_string(const char *s)
69acbb
+{
69acbb
+	size_t i;
69acbb
+
69acbb
+	for (i = 0; s[i] != '\0'; i++) {
69acbb
+		if (!isalnum((u_char)s[i]) &&
69acbb
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
69acbb
+		    s[i] != '-' && s[i] != '_')
69acbb
+		return 0;
69acbb
+	}
69acbb
+	return 1;
69acbb
+}
69acbb
+
69acbb
 /*
69acbb
  * Prepares for an interactive session.  This is called after the user has
69acbb
  * been successfully authenticated.  During this message exchange, pseudo
69acbb
@@ -365,7 +381,13 @@ do_authenticated1(Authctxt *authctxt)
69acbb
 				s->screen = 0;
69acbb
 			}
69acbb
 			packet_check_eom();
69acbb
-			success = session_setup_x11fwd(s);
69acbb
+			if (xauth_valid_string(s->auth_proto) &&
69acbb
+			    xauth_valid_string(s->auth_data))
69acbb
+				success = session_setup_x11fwd(s);
69acbb
+			else {
69acbb
+				success = 0;
69acbb
+				error("Invalid X11 forwarding data");
69acbb
+			}
69acbb
 			if (!success) {
69acbb
 				free(s->auth_proto);
69acbb
 				free(s->auth_data);
69acbb
@@ -2219,7 +2241,13 @@ session_x11_req(Session *s)
69acbb
 	s->screen = packet_get_int();
69acbb
 	packet_check_eom();
69acbb
 
69acbb
-	success = session_setup_x11fwd(s);
69acbb
+	if (xauth_valid_string(s->auth_proto) &&
69acbb
+	    xauth_valid_string(s->auth_data))
69acbb
+		success = session_setup_x11fwd(s);
69acbb
+	else {
69acbb
+		success = 0;
69acbb
+		error("Invalid X11 forwarding data");
69acbb
+	}
69acbb
 	if (!success) {
69acbb
 		free(s->auth_proto);
69acbb
 		free(s->auth_data);