1 /*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 /* Buffer handling routines, designed to avoid overflows/using invalid data */
26
27 #include "includes.h"
28 #include "dbutil.h"
29 #include "buffer.h"
30
31 /* Prevent integer overflows when incrementing buffer position/length.
32 * Calling functions should check arguments first, but this provides a
33 * backstop */
34 #define BUF_MAX_INCR 1000000000
35 #define BUF_MAX_SIZE 1000000000
36
37 /* avoid excessively large numbers, > ~8192 bits */
38 #define BUF_MAX_MPINT (8240 / 8)
39
40 /* Create (malloc) a new buffer of size */
buf_new(unsigned int size)41 buffer* buf_new(unsigned int size) {
42 buffer* buf;
43 if (size > BUF_MAX_SIZE) {
44 dropbear_exit("buf->size too big");
45 }
46
47 buf = (buffer*)m_malloc(sizeof(buffer)+size);
48 buf->data = (unsigned char*)buf + sizeof(buffer);
49 buf->size = size;
50 return buf;
51 }
52
53 /* free the buffer's data and the buffer itself */
buf_free(buffer * buf)54 void buf_free(buffer* buf) {
55 m_free(buf);
56 }
57
58 /* overwrite the contents of the buffer to clear it */
buf_burn(const buffer * buf)59 void buf_burn(const buffer* buf) {
60 m_burn(buf->data, buf->size);
61 }
62
63 /* resize a buffer, pos and len will be repositioned if required when
64 * downsizing */
buf_resize(buffer * buf,unsigned int newsize)65 buffer* buf_resize(buffer *buf, unsigned int newsize) {
66 if (newsize > BUF_MAX_SIZE) {
67 dropbear_exit("buf->size too big");
68 }
69
70 buf = m_realloc(buf, sizeof(buffer)+newsize);
71 buf->data = (unsigned char*)buf + sizeof(buffer);
72 buf->size = newsize;
73 buf->len = MIN(newsize, buf->len);
74 buf->pos = MIN(newsize, buf->pos);
75 return buf;
76 }
77
78 /* Create a copy of buf, allocating required memory etc. */
79 /* The new buffer is sized the same as the length of the source buffer. */
buf_newcopy(const buffer * buf)80 buffer* buf_newcopy(const buffer* buf) {
81
82 buffer* ret;
83
84 ret = buf_new(buf->len);
85 ret->len = buf->len;
86 if (buf->len > 0) {
87 memcpy(ret->data, buf->data, buf->len);
88 }
89 return ret;
90 }
91
92 /* Set the length of the buffer */
buf_setlen(buffer * buf,unsigned int len)93 void buf_setlen(buffer* buf, unsigned int len) {
94 if (len > buf->size) {
95 dropbear_exit("Bad buf_setlen");
96 }
97 buf->len = len;
98 buf->pos = MIN(buf->pos, buf->len);
99 }
100
101 /* Increment the length of the buffer */
buf_incrlen(buffer * buf,unsigned int incr)102 void buf_incrlen(buffer* buf, unsigned int incr) {
103 if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
104 dropbear_exit("Bad buf_incrlen");
105 }
106 buf->len += incr;
107 }
108 /* Set the position of the buffer */
buf_setpos(buffer * buf,unsigned int pos)109 void buf_setpos(buffer* buf, unsigned int pos) {
110
111 if (pos > buf->len) {
112 dropbear_exit("Bad buf_setpos");
113 }
114 buf->pos = pos;
115 }
116
117 /* increment the position by incr, increasing the buffer length if required */
buf_incrwritepos(buffer * buf,unsigned int incr)118 void buf_incrwritepos(buffer* buf, unsigned int incr) {
119 if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
120 dropbear_exit("Bad buf_incrwritepos");
121 }
122 buf->pos += incr;
123 if (buf->pos > buf->len) {
124 buf->len = buf->pos;
125 }
126 }
127
128 /* increment the position by incr */
buf_incrpos(buffer * buf,unsigned int incr)129 void buf_incrpos(buffer* buf, unsigned int incr) {
130 if (incr > BUF_MAX_INCR
131 || (buf->pos + incr) > buf->len) {
132 dropbear_exit("Bad buf_incrpos");
133 }
134 buf->pos += incr;
135 }
136
137 /* decrement the position by decr */
buf_decrpos(buffer * buf,unsigned int decr)138 void buf_decrpos(buffer* buf, unsigned int decr) {
139 if (decr > buf->pos) {
140 dropbear_exit("Bad buf_decrpos");
141 }
142 buf->pos -= decr;
143 }
144
145 /* Get a byte from the buffer and increment the pos */
buf_getbyte(buffer * buf)146 unsigned char buf_getbyte(buffer* buf) {
147
148 /* This check is really just ==, but the >= allows us to check for the
149 * bad case of pos > len, which should _never_ happen. */
150 if (buf->pos >= buf->len) {
151 dropbear_exit("Bad buf_getbyte");
152 }
153 return buf->data[buf->pos++];
154 }
155
156 /* Get a bool from the buffer and increment the pos */
buf_getbool(buffer * buf)157 unsigned char buf_getbool(buffer* buf) {
158
159 unsigned char b;
160 b = buf_getbyte(buf);
161 if (b != 0)
162 b = 1;
163 return b;
164 }
165
166 /* put a byte, incrementing the length if required */
buf_putbyte(buffer * buf,unsigned char val)167 void buf_putbyte(buffer* buf, unsigned char val) {
168
169 if (buf->pos >= buf->len) {
170 buf_incrlen(buf, 1);
171 }
172 buf->data[buf->pos] = val;
173 buf->pos++;
174 }
175
176 /* returns an in-place pointer to the buffer, checking that
177 * the next len bytes from that position can be used */
buf_getptr(const buffer * buf,unsigned int len)178 unsigned char* buf_getptr(const buffer* buf, unsigned int len) {
179
180 if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
181 dropbear_exit("Bad buf_getptr");
182 }
183 return &buf->data[buf->pos];
184 }
185
186 /* like buf_getptr, but checks against total size, not used length.
187 * This allows writing past the used length, but not past the size */
buf_getwriteptr(const buffer * buf,unsigned int len)188 unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len) {
189
190 if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
191 dropbear_exit("Bad buf_getwriteptr");
192 }
193 return &buf->data[buf->pos];
194 }
195
196 /* Return a null-terminated string, it is malloced, so must be free()ed
197 * Note that the string isn't checked for null bytes, hence the retlen
198 * may be longer than what is returned by strlen */
buf_getstring(buffer * buf,unsigned int * retlen)199 char* buf_getstring(buffer* buf, unsigned int *retlen) {
200
201 unsigned int len;
202 char* ret;
203 void* src = NULL;
204 len = buf_getint(buf);
205 if (len > MAX_STRING_LEN) {
206 dropbear_exit("String too long");
207 }
208
209 if (retlen != NULL) {
210 *retlen = len;
211 }
212 src = buf_getptr(buf, len);
213 ret = m_malloc(len+1);
214 memcpy(ret, src, len);
215 buf_incrpos(buf, len);
216 ret[len] = '\0';
217
218 return ret;
219 }
220
221 /* Return a string as a newly allocated buffer */
buf_getstringbuf_int(buffer * buf,int incllen)222 static buffer * buf_getstringbuf_int(buffer *buf, int incllen) {
223 buffer *ret = NULL;
224 unsigned int len = buf_getint(buf);
225 int extra = 0;
226 if (len > MAX_STRING_LEN) {
227 dropbear_exit("String too long");
228 }
229 if (incllen) {
230 extra = 4;
231 }
232 ret = buf_new(len+extra);
233 if (incllen) {
234 buf_putint(ret, len);
235 }
236 memcpy(buf_getwriteptr(ret, len), buf_getptr(buf, len), len);
237 buf_incrpos(buf, len);
238 buf_incrlen(ret, len);
239 buf_setpos(ret, 0);
240 return ret;
241 }
242
243 /* Return a string as a newly allocated buffer */
buf_getstringbuf(buffer * buf)244 buffer * buf_getstringbuf(buffer *buf) {
245 return buf_getstringbuf_int(buf, 0);
246 }
247
248 /* Returns a string in a new buffer, including the length */
buf_getbuf(buffer * buf)249 buffer * buf_getbuf(buffer *buf) {
250 return buf_getstringbuf_int(buf, 1);
251 }
252
253 /* Just increment the buffer position the same as if we'd used buf_getstring,
254 * but don't bother copying/malloc()ing for it */
buf_eatstring(buffer * buf)255 void buf_eatstring(buffer *buf) {
256
257 buf_incrpos( buf, buf_getint(buf) );
258 }
259
260 /* Get an uint32 from the buffer and increment the pos */
buf_getint(buffer * buf)261 unsigned int buf_getint(buffer* buf) {
262 unsigned int ret;
263
264 LOAD32H(ret, buf_getptr(buf, 4));
265 buf_incrpos(buf, 4);
266 return ret;
267 }
268
269 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */
buf_putint(buffer * buf,int unsigned val)270 void buf_putint(buffer* buf, int unsigned val) {
271
272 STORE32H(val, buf_getwriteptr(buf, 4));
273 buf_incrwritepos(buf, 4);
274
275 }
276
277 /* put a SSH style string into the buffer, increasing buffer len if required */
buf_putstring(buffer * buf,const char * str,unsigned int len)278 void buf_putstring(buffer* buf, const char* str, unsigned int len) {
279
280 buf_putint(buf, len);
281 buf_putbytes(buf, (const unsigned char*)str, len);
282
283 }
284
285 /* puts an entire buffer as a SSH string. ignore pos of buf_str. */
buf_putbufstring(buffer * buf,const buffer * buf_str)286 void buf_putbufstring(buffer *buf, const buffer* buf_str) {
287 buf_putstring(buf, (const char*)buf_str->data, buf_str->len);
288 }
289
290 /* put the set of len bytes into the buffer, incrementing the pos, increasing
291 * len if required */
buf_putbytes(buffer * buf,const unsigned char * bytes,unsigned int len)292 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
293 memcpy(buf_getwriteptr(buf, len), bytes, len);
294 buf_incrwritepos(buf, len);
295 }
296
297
298 /* for our purposes we only need positive (or 0) numbers, so will
299 * fail if we get negative numbers */
buf_putmpint(buffer * buf,mp_int * mp)300 void buf_putmpint(buffer* buf, mp_int * mp) {
301 size_t written;
302 unsigned int len, pad = 0;
303 TRACE2(("enter buf_putmpint"))
304
305 dropbear_assert(mp != NULL);
306
307 if (mp_isneg(mp)) {
308 dropbear_exit("negative bignum");
309 }
310
311 /* zero check */
312 if (mp_iszero(mp)) {
313 len = 0;
314 } else {
315 /* SSH spec requires padding for mpints with the MSB set, this code
316 * implements it */
317 len = mp_count_bits(mp);
318 /* if the top bit of MSB is set, we need to pad */
319 pad = (len%8 == 0) ? 1 : 0;
320 len = len / 8 + 1; /* don't worry about rounding, we need it for
321 padding anyway when len%8 == 0 */
322
323 }
324
325 /* store the length */
326 buf_putint(buf, len);
327
328 /* store the actual value */
329 if (len > 0) {
330 if (pad) {
331 buf_putbyte(buf, 0x00);
332 }
333 if (mp_to_ubin(mp, buf_getwriteptr(buf, len-pad), len-pad, &written) != MP_OKAY) {
334 dropbear_exit("mpint error");
335 }
336 buf_incrwritepos(buf, written);
337 }
338
339 TRACE2(("leave buf_putmpint"))
340 }
341
342 /* Retrieve an mp_int from the buffer.
343 * Will fail for -ve since they shouldn't be required here.
344 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
buf_getmpint(buffer * buf,mp_int * mp)345 int buf_getmpint(buffer* buf, mp_int* mp) {
346
347 unsigned int len;
348 len = buf_getint(buf);
349
350 if (len == 0) {
351 mp_zero(mp);
352 return DROPBEAR_SUCCESS;
353 }
354
355 if (len > BUF_MAX_MPINT) {
356 return DROPBEAR_FAILURE;
357 }
358
359 /* check for negative */
360 if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
361 return DROPBEAR_FAILURE;
362 }
363
364 if (mp_from_ubin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
365 return DROPBEAR_FAILURE;
366 }
367
368 buf_incrpos(buf, len);
369 return DROPBEAR_SUCCESS;
370 }
371