Home | History | Annotate | Download | only in dropbear
      1 /*
      2  * Dropbear SSH
      3  *
      4  * Copyright (c) 2002,2003 Matt Johnston
      5  * All rights reserved.
      6  *
      7  * Permission is hereby granted, free of charge, to any person obtaining a copy
      8  * of this software and associated documentation files (the "Software"), to deal
      9  * in the Software without restriction, including without limitation the rights
     10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
     11  * copies of the Software, and to permit persons to whom the Software is
     12  * furnished to do so, subject to the following conditions:
     13  *
     14  * The above copyright notice and this permission notice shall be included in
     15  * all copies or substantial portions of the Software.
     16  *
     17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
     18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
     19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
     20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
     21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     23  * SOFTWARE. */
     24 
     25 /* Buffer handling routines, designed to avoid overflows/using invalid data */
     26 
     27 #include "includes.h"
     28 #include "dbutil.h"
     29 #include "buffer.h"
     30 
     31 /* Prevent integer overflows when incrementing buffer position/length.
     32  * Calling functions should check arguments first, but this provides a
     33  * backstop */
     34 #define BUF_MAX_INCR 1000000000
     35 #define BUF_MAX_SIZE 1000000000
     36 
     37 /* avoid excessively large numbers, > ~8192 bits */
     38 #define BUF_MAX_MPINT (8240 / 8)
     39 
     40 /* Create (malloc) a new buffer of size */
     41 buffer* buf_new(unsigned int size) {
     42 
     43 	buffer* buf;
     44 
     45 	if (size > BUF_MAX_SIZE) {
     46 		dropbear_exit("buf->size too big");
     47 	}
     48 
     49 	buf = (buffer*)m_malloc(sizeof(buffer));
     50 
     51 	if (size > 0) {
     52 		buf->data = (unsigned char*)m_malloc(size);
     53 	} else {
     54 		buf->data = NULL;
     55 	}
     56 
     57 	buf->size = size;
     58 	buf->pos = 0;
     59 	buf->len = 0;
     60 
     61 	return buf;
     62 
     63 }
     64 
     65 /* free the buffer's data and the buffer itself */
     66 void buf_free(buffer* buf) {
     67 
     68 	m_free(buf->data)
     69 	m_free(buf);
     70 }
     71 
     72 /* overwrite the contents of the buffer to clear it */
     73 void buf_burn(buffer* buf) {
     74 
     75 	m_burn(buf->data, buf->size);
     76 
     77 }
     78 
     79 /* resize a buffer, pos and len will be repositioned if required when
     80  * downsizing */
     81 void buf_resize(buffer *buf, unsigned int newsize) {
     82 
     83 	if (newsize > BUF_MAX_SIZE) {
     84 		dropbear_exit("buf->size too big");
     85 	}
     86 
     87 	buf->data = m_realloc(buf->data, newsize);
     88 	buf->size = newsize;
     89 	buf->len = MIN(newsize, buf->len);
     90 	buf->pos = MIN(newsize, buf->pos);
     91 
     92 }
     93 
     94 /* Create a copy of buf, allocating required memory etc. */
     95 /* The new buffer is sized the same as the length of the source buffer. */
     96 buffer* buf_newcopy(buffer* buf) {
     97 
     98 	buffer* ret;
     99 
    100 	ret = buf_new(buf->len);
    101 	ret->len = buf->len;
    102 	memcpy(ret->data, buf->data, buf->len);
    103 	return ret;
    104 }
    105 
    106 /* Set the length of the buffer */
    107 void buf_setlen(buffer* buf, unsigned int len) {
    108 	if (len > buf->size) {
    109 		dropbear_exit("bad buf_setlen");
    110 	}
    111 	buf->len = len;
    112 }
    113 
    114 /* Increment the length of the buffer */
    115 void buf_incrlen(buffer* buf, unsigned int incr) {
    116 	if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
    117 		dropbear_exit("bad buf_incrlen");
    118 	}
    119 	buf->len += incr;
    120 }
    121 /* Set the position of the buffer */
    122 void buf_setpos(buffer* buf, unsigned int pos) {
    123 
    124 	if (pos > buf->len) {
    125 		dropbear_exit("bad buf_setpos");
    126 	}
    127 	buf->pos = pos;
    128 }
    129 
    130 /* increment the postion by incr, increasing the buffer length if required */
    131 void buf_incrwritepos(buffer* buf, unsigned int incr) {
    132 	if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
    133 		dropbear_exit("bad buf_incrwritepos");
    134 	}
    135 	buf->pos += incr;
    136 	if (buf->pos > buf->len) {
    137 		buf->len = buf->pos;
    138 	}
    139 }
    140 
    141 /* increment the position by incr, negative values are allowed, to
    142  * decrement the pos*/
    143 void buf_incrpos(buffer* buf,  int incr) {
    144 	if (incr > BUF_MAX_INCR ||
    145 			(unsigned int)((int)buf->pos + incr) > buf->len
    146 			|| ((int)buf->pos + incr) < 0) {
    147 		dropbear_exit("bad buf_incrpos");
    148 	}
    149 	buf->pos += incr;
    150 }
    151 
    152 /* Get a byte from the buffer and increment the pos */
    153 unsigned char buf_getbyte(buffer* buf) {
    154 
    155 	/* This check is really just ==, but the >= allows us to check for the
    156 	 * bad case of pos > len, which should _never_ happen. */
    157 	if (buf->pos >= buf->len) {
    158 		dropbear_exit("bad buf_getbyte");
    159 	}
    160 	return buf->data[buf->pos++];
    161 }
    162 
    163 /* Get a bool from the buffer and increment the pos */
    164 unsigned char buf_getbool(buffer* buf) {
    165 
    166 	unsigned char b;
    167 	b = buf_getbyte(buf);
    168 	if (b != 0)
    169 		b = 1;
    170 	return b;
    171 }
    172 
    173 /* put a byte, incrementing the length if required */
    174 void buf_putbyte(buffer* buf, unsigned char val) {
    175 
    176 	if (buf->pos >= buf->len) {
    177 		buf_incrlen(buf, 1);
    178 	}
    179 	buf->data[buf->pos] = val;
    180 	buf->pos++;
    181 }
    182 
    183 /* returns an in-place pointer to the buffer, checking that
    184  * the next len bytes from that position can be used */
    185 unsigned char* buf_getptr(buffer* buf, unsigned int len) {
    186 
    187 	if (buf->pos + len > buf->len) {
    188 		dropbear_exit("bad buf_getptr");
    189 	}
    190 	return &buf->data[buf->pos];
    191 }
    192 
    193 /* like buf_getptr, but checks against total size, not used length.
    194  * This allows writing past the used length, but not past the size */
    195 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
    196 
    197 	if (buf->pos + len > buf->size) {
    198 		dropbear_exit("bad buf_getwriteptr");
    199 	}
    200 	return &buf->data[buf->pos];
    201 }
    202 
    203 /* Return a null-terminated string, it is malloced, so must be free()ed
    204  * Note that the string isn't checked for null bytes, hence the retlen
    205  * may be longer than what is returned by strlen */
    206 unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
    207 
    208 	unsigned int len;
    209 	unsigned char* ret;
    210 	len = buf_getint(buf);
    211 	if (len > MAX_STRING_LEN) {
    212 		dropbear_exit("string too long");
    213 	}
    214 
    215 	if (retlen != NULL) {
    216 		*retlen = len;
    217 	}
    218 	ret = m_malloc(len+1);
    219 	memcpy(ret, buf_getptr(buf, len), len);
    220 	buf_incrpos(buf, len);
    221 	ret[len] = '\0';
    222 
    223 	return ret;
    224 }
    225 
    226 /* Just increment the buffer position the same as if we'd used buf_getstring,
    227  * but don't bother copying/malloc()ing for it */
    228 void buf_eatstring(buffer *buf) {
    229 
    230 	buf_incrpos( buf, buf_getint(buf) );
    231 }
    232 
    233 /* Get an uint32 from the buffer and increment the pos */
    234 unsigned int buf_getint(buffer* buf) {
    235 	unsigned int ret;
    236 
    237 	LOAD32H(ret, buf_getptr(buf, 4));
    238 	buf_incrpos(buf, 4);
    239 	return ret;
    240 }
    241 
    242 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */
    243 void buf_putint(buffer* buf, int unsigned val) {
    244 
    245 	STORE32H(val, buf_getwriteptr(buf, 4));
    246 	buf_incrwritepos(buf, 4);
    247 
    248 }
    249 
    250 /* put a SSH style string into the buffer, increasing buffer len if required */
    251 void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
    252 
    253 	buf_putint(buf, len);
    254 	buf_putbytes(buf, str, len);
    255 
    256 }
    257 
    258 /* put the set of len bytes into the buffer, incrementing the pos, increasing
    259  * len if required */
    260 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
    261 	memcpy(buf_getwriteptr(buf, len), bytes, len);
    262 	buf_incrwritepos(buf, len);
    263 }
    264 
    265 
    266 /* for our purposes we only need positive (or 0) numbers, so will
    267  * fail if we get negative numbers */
    268 void buf_putmpint(buffer* buf, mp_int * mp) {
    269 
    270 	unsigned int len, pad = 0;
    271 	TRACE(("enter buf_putmpint"))
    272 
    273 	dropbear_assert(mp != NULL);
    274 
    275 	if (SIGN(mp) == MP_NEG) {
    276 		dropbear_exit("negative bignum");
    277 	}
    278 
    279 	/* zero check */
    280 	if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
    281 		len = 0;
    282 	} else {
    283 		/* SSH spec requires padding for mpints with the MSB set, this code
    284 		 * implements it */
    285 		len = mp_count_bits(mp);
    286 		/* if the top bit of MSB is set, we need to pad */
    287 		pad = (len%8 == 0) ? 1 : 0;
    288 		len = len / 8 + 1; /* don't worry about rounding, we need it for
    289 							  padding anyway when len%8 == 0 */
    290 
    291 	}
    292 
    293 	/* store the length */
    294 	buf_putint(buf, len);
    295 
    296 	/* store the actual value */
    297 	if (len > 0) {
    298 		if (pad) {
    299 			buf_putbyte(buf, 0x00);
    300 		}
    301 		if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
    302 			dropbear_exit("mpint error");
    303 		}
    304 		buf_incrwritepos(buf, len-pad);
    305 	}
    306 
    307 	TRACE(("leave buf_putmpint"))
    308 }
    309 
    310 /* Retrieve an mp_int from the buffer.
    311  * Will fail for -ve since they shouldn't be required here.
    312  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
    313 int buf_getmpint(buffer* buf, mp_int* mp) {
    314 
    315 	unsigned int len;
    316 	len = buf_getint(buf);
    317 
    318 	if (len == 0) {
    319 		mp_zero(mp);
    320 		return DROPBEAR_SUCCESS;
    321 	}
    322 
    323 	if (len > BUF_MAX_MPINT) {
    324 		return DROPBEAR_FAILURE;
    325 	}
    326 
    327 	/* check for negative */
    328 	if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
    329 		return DROPBEAR_FAILURE;
    330 	}
    331 
    332 	if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
    333 		return DROPBEAR_FAILURE;
    334 	}
    335 
    336 	buf_incrpos(buf, len);
    337 	return DROPBEAR_SUCCESS;
    338 }
    339