1 /* 2 * Dropbear SSH 3 * 4 * Copyright (c) 2002,2003 Matt Johnston 5 * All rights reserved. 6 * 7 * Permission is hereby granted, free of charge, to any person obtaining a copy 8 * of this software and associated documentation files (the "Software"), to deal 9 * in the Software without restriction, including without limitation the rights 10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 * copies of the Software, and to permit persons to whom the Software is 12 * furnished to do so, subject to the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be included in 15 * all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 * SOFTWARE. */ 24 25 /* Buffer handling routines, designed to avoid overflows/using invalid data */ 26 27 #include "includes.h" 28 #include "dbutil.h" 29 #include "buffer.h" 30 31 /* Prevent integer overflows when incrementing buffer position/length. 32 * Calling functions should check arguments first, but this provides a 33 * backstop */ 34 #define BUF_MAX_INCR 1000000000 35 #define BUF_MAX_SIZE 1000000000 36 37 /* avoid excessively large numbers, > ~8192 bits */ 38 #define BUF_MAX_MPINT (8240 / 8) 39 40 /* Create (malloc) a new buffer of size */ 41 buffer* buf_new(unsigned int size) { 42 43 buffer* buf; 44 45 if (size > BUF_MAX_SIZE) { 46 dropbear_exit("buf->size too big"); 47 } 48 49 buf = (buffer*)m_malloc(sizeof(buffer)); 50 51 if (size > 0) { 52 buf->data = (unsigned char*)m_malloc(size); 53 } else { 54 buf->data = NULL; 55 } 56 57 buf->size = size; 58 buf->pos = 0; 59 buf->len = 0; 60 61 return buf; 62 63 } 64 65 /* free the buffer's data and the buffer itself */ 66 void buf_free(buffer* buf) { 67 68 m_free(buf->data) 69 m_free(buf); 70 } 71 72 /* overwrite the contents of the buffer to clear it */ 73 void buf_burn(buffer* buf) { 74 75 m_burn(buf->data, buf->size); 76 77 } 78 79 /* resize a buffer, pos and len will be repositioned if required when 80 * downsizing */ 81 void buf_resize(buffer *buf, unsigned int newsize) { 82 83 if (newsize > BUF_MAX_SIZE) { 84 dropbear_exit("buf->size too big"); 85 } 86 87 buf->data = m_realloc(buf->data, newsize); 88 buf->size = newsize; 89 buf->len = MIN(newsize, buf->len); 90 buf->pos = MIN(newsize, buf->pos); 91 92 } 93 94 /* Create a copy of buf, allocating required memory etc. */ 95 /* The new buffer is sized the same as the length of the source buffer. */ 96 buffer* buf_newcopy(buffer* buf) { 97 98 buffer* ret; 99 100 ret = buf_new(buf->len); 101 ret->len = buf->len; 102 memcpy(ret->data, buf->data, buf->len); 103 return ret; 104 } 105 106 /* Set the length of the buffer */ 107 void buf_setlen(buffer* buf, unsigned int len) { 108 if (len > buf->size) { 109 dropbear_exit("bad buf_setlen"); 110 } 111 buf->len = len; 112 } 113 114 /* Increment the length of the buffer */ 115 void buf_incrlen(buffer* buf, unsigned int incr) { 116 if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) { 117 dropbear_exit("bad buf_incrlen"); 118 } 119 buf->len += incr; 120 } 121 /* Set the position of the buffer */ 122 void buf_setpos(buffer* buf, unsigned int pos) { 123 124 if (pos > buf->len) { 125 dropbear_exit("bad buf_setpos"); 126 } 127 buf->pos = pos; 128 } 129 130 /* increment the postion by incr, increasing the buffer length if required */ 131 void buf_incrwritepos(buffer* buf, unsigned int incr) { 132 if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) { 133 dropbear_exit("bad buf_incrwritepos"); 134 } 135 buf->pos += incr; 136 if (buf->pos > buf->len) { 137 buf->len = buf->pos; 138 } 139 } 140 141 /* increment the position by incr, negative values are allowed, to 142 * decrement the pos*/ 143 void buf_incrpos(buffer* buf, int incr) { 144 if (incr > BUF_MAX_INCR || 145 (unsigned int)((int)buf->pos + incr) > buf->len 146 || ((int)buf->pos + incr) < 0) { 147 dropbear_exit("bad buf_incrpos"); 148 } 149 buf->pos += incr; 150 } 151 152 /* Get a byte from the buffer and increment the pos */ 153 unsigned char buf_getbyte(buffer* buf) { 154 155 /* This check is really just ==, but the >= allows us to check for the 156 * bad case of pos > len, which should _never_ happen. */ 157 if (buf->pos >= buf->len) { 158 dropbear_exit("bad buf_getbyte"); 159 } 160 return buf->data[buf->pos++]; 161 } 162 163 /* Get a bool from the buffer and increment the pos */ 164 unsigned char buf_getbool(buffer* buf) { 165 166 unsigned char b; 167 b = buf_getbyte(buf); 168 if (b != 0) 169 b = 1; 170 return b; 171 } 172 173 /* put a byte, incrementing the length if required */ 174 void buf_putbyte(buffer* buf, unsigned char val) { 175 176 if (buf->pos >= buf->len) { 177 buf_incrlen(buf, 1); 178 } 179 buf->data[buf->pos] = val; 180 buf->pos++; 181 } 182 183 /* returns an in-place pointer to the buffer, checking that 184 * the next len bytes from that position can be used */ 185 unsigned char* buf_getptr(buffer* buf, unsigned int len) { 186 187 if (buf->pos + len > buf->len) { 188 dropbear_exit("bad buf_getptr"); 189 } 190 return &buf->data[buf->pos]; 191 } 192 193 /* like buf_getptr, but checks against total size, not used length. 194 * This allows writing past the used length, but not past the size */ 195 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { 196 197 if (buf->pos + len > buf->size) { 198 dropbear_exit("bad buf_getwriteptr"); 199 } 200 return &buf->data[buf->pos]; 201 } 202 203 /* Return a null-terminated string, it is malloced, so must be free()ed 204 * Note that the string isn't checked for null bytes, hence the retlen 205 * may be longer than what is returned by strlen */ 206 unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) { 207 208 unsigned int len; 209 unsigned char* ret; 210 len = buf_getint(buf); 211 if (len > MAX_STRING_LEN) { 212 dropbear_exit("string too long"); 213 } 214 215 if (retlen != NULL) { 216 *retlen = len; 217 } 218 ret = m_malloc(len+1); 219 memcpy(ret, buf_getptr(buf, len), len); 220 buf_incrpos(buf, len); 221 ret[len] = '\0'; 222 223 return ret; 224 } 225 226 /* Just increment the buffer position the same as if we'd used buf_getstring, 227 * but don't bother copying/malloc()ing for it */ 228 void buf_eatstring(buffer *buf) { 229 230 buf_incrpos( buf, buf_getint(buf) ); 231 } 232 233 /* Get an uint32 from the buffer and increment the pos */ 234 unsigned int buf_getint(buffer* buf) { 235 unsigned int ret; 236 237 LOAD32H(ret, buf_getptr(buf, 4)); 238 buf_incrpos(buf, 4); 239 return ret; 240 } 241 242 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */ 243 void buf_putint(buffer* buf, int unsigned val) { 244 245 STORE32H(val, buf_getwriteptr(buf, 4)); 246 buf_incrwritepos(buf, 4); 247 248 } 249 250 /* put a SSH style string into the buffer, increasing buffer len if required */ 251 void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) { 252 253 buf_putint(buf, len); 254 buf_putbytes(buf, str, len); 255 256 } 257 258 /* put the set of len bytes into the buffer, incrementing the pos, increasing 259 * len if required */ 260 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) { 261 memcpy(buf_getwriteptr(buf, len), bytes, len); 262 buf_incrwritepos(buf, len); 263 } 264 265 266 /* for our purposes we only need positive (or 0) numbers, so will 267 * fail if we get negative numbers */ 268 void buf_putmpint(buffer* buf, mp_int * mp) { 269 270 unsigned int len, pad = 0; 271 TRACE(("enter buf_putmpint")) 272 273 dropbear_assert(mp != NULL); 274 275 if (SIGN(mp) == MP_NEG) { 276 dropbear_exit("negative bignum"); 277 } 278 279 /* zero check */ 280 if (USED(mp) == 1 && DIGIT(mp, 0) == 0) { 281 len = 0; 282 } else { 283 /* SSH spec requires padding for mpints with the MSB set, this code 284 * implements it */ 285 len = mp_count_bits(mp); 286 /* if the top bit of MSB is set, we need to pad */ 287 pad = (len%8 == 0) ? 1 : 0; 288 len = len / 8 + 1; /* don't worry about rounding, we need it for 289 padding anyway when len%8 == 0 */ 290 291 } 292 293 /* store the length */ 294 buf_putint(buf, len); 295 296 /* store the actual value */ 297 if (len > 0) { 298 if (pad) { 299 buf_putbyte(buf, 0x00); 300 } 301 if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) { 302 dropbear_exit("mpint error"); 303 } 304 buf_incrwritepos(buf, len-pad); 305 } 306 307 TRACE(("leave buf_putmpint")) 308 } 309 310 /* Retrieve an mp_int from the buffer. 311 * Will fail for -ve since they shouldn't be required here. 312 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ 313 int buf_getmpint(buffer* buf, mp_int* mp) { 314 315 unsigned int len; 316 len = buf_getint(buf); 317 318 if (len == 0) { 319 mp_zero(mp); 320 return DROPBEAR_SUCCESS; 321 } 322 323 if (len > BUF_MAX_MPINT) { 324 return DROPBEAR_FAILURE; 325 } 326 327 /* check for negative */ 328 if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) { 329 return DROPBEAR_FAILURE; 330 } 331 332 if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) { 333 return DROPBEAR_FAILURE; 334 } 335 336 buf_incrpos(buf, len); 337 return DROPBEAR_SUCCESS; 338 } 339