1 /* $OpenBSD: sshbuf.c,v 1.4 2015/10/05 17:11:21 djm Exp $ */ 2 /* 3 * Copyright (c) 2011 Damien Miller 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #define SSHBUF_INTERNAL 19 #include "includes.h" 20 21 #include <sys/param.h> /* roundup */ 22 #include <sys/types.h> 23 #include <signal.h> 24 #include <stdlib.h> 25 #include <stdio.h> 26 #include <string.h> 27 28 #include "ssherr.h" 29 #include "sshbuf.h" 30 31 static inline int 32 sshbuf_check_sanity(const struct sshbuf *buf) 33 { 34 SSHBUF_TELL("sanity"); 35 if (__predict_false(buf == NULL || 36 (!buf->readonly && buf->d != buf->cd) || 37 buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX || 38 buf->cd == NULL || 39 (buf->dont_free && (buf->readonly || buf->parent != NULL)) || 40 buf->max_size > SSHBUF_SIZE_MAX || 41 buf->alloc > buf->max_size || 42 buf->size > buf->alloc || 43 buf->off > buf->size)) { 44 /* Do not try to recover from corrupted buffer internals */ 45 SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR")); 46 signal(SIGSEGV, SIG_DFL); 47 raise(SIGSEGV); 48 return SSH_ERR_INTERNAL_ERROR; 49 } 50 return 0; 51 } 52 53 static void 54 sshbuf_maybe_pack(struct sshbuf *buf, int force) 55 { 56 SSHBUF_DBG(("force %d", force)); 57 SSHBUF_TELL("pre-pack"); 58 if (buf->off == 0 || buf->readonly || buf->refcount > 1) 59 return; 60 if (force || 61 (buf->off >= SSHBUF_PACK_MIN && buf->off >= buf->size / 2)) { 62 memmove(buf->d, buf->d + buf->off, buf->size - buf->off); 63 buf->size -= buf->off; 64 buf->off = 0; 65 SSHBUF_TELL("packed"); 66 } 67 } 68 69 struct sshbuf * 70 sshbuf_new(void) 71 { 72 struct sshbuf *ret; 73 74 if ((ret = calloc(sizeof(*ret), 1)) == NULL) 75 return NULL; 76 ret->alloc = SSHBUF_SIZE_INIT; 77 ret->max_size = SSHBUF_SIZE_MAX; 78 ret->readonly = 0; 79 ret->refcount = 1; 80 ret->parent = NULL; 81 if ((ret->cd = ret->d = calloc(1, ret->alloc)) == NULL) { 82 free(ret); 83 return NULL; 84 } 85 return ret; 86 } 87 88 struct sshbuf * 89 sshbuf_from(const void *blob, size_t len) 90 { 91 struct sshbuf *ret; 92 93 if (blob == NULL || len > SSHBUF_SIZE_MAX || 94 (ret = calloc(sizeof(*ret), 1)) == NULL) 95 return NULL; 96 ret->alloc = ret->size = ret->max_size = len; 97 ret->readonly = 1; 98 ret->refcount = 1; 99 ret->parent = NULL; 100 ret->cd = blob; 101 ret->d = NULL; 102 return ret; 103 } 104 105 int 106 sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent) 107 { 108 int r; 109 110 if ((r = sshbuf_check_sanity(child)) != 0 || 111 (r = sshbuf_check_sanity(parent)) != 0) 112 return r; 113 child->parent = parent; 114 child->parent->refcount++; 115 return 0; 116 } 117 118 struct sshbuf * 119 sshbuf_fromb(struct sshbuf *buf) 120 { 121 struct sshbuf *ret; 122 123 if (sshbuf_check_sanity(buf) != 0) 124 return NULL; 125 if ((ret = sshbuf_from(sshbuf_ptr(buf), sshbuf_len(buf))) == NULL) 126 return NULL; 127 if (sshbuf_set_parent(ret, buf) != 0) { 128 sshbuf_free(ret); 129 return NULL; 130 } 131 return ret; 132 } 133 134 void 135 sshbuf_init(struct sshbuf *ret) 136 { 137 explicit_bzero(ret, sizeof(*ret)); 138 ret->alloc = SSHBUF_SIZE_INIT; 139 ret->max_size = SSHBUF_SIZE_MAX; 140 ret->readonly = 0; 141 ret->dont_free = 1; 142 ret->refcount = 1; 143 if ((ret->cd = ret->d = calloc(1, ret->alloc)) == NULL) 144 ret->alloc = 0; 145 } 146 147 void 148 sshbuf_free(struct sshbuf *buf) 149 { 150 int dont_free = 0; 151 152 if (buf == NULL) 153 return; 154 /* 155 * The following will leak on insane buffers, but this is the safest 156 * course of action - an invalid pointer or already-freed pointer may 157 * have been passed to us and continuing to scribble over memory would 158 * be bad. 159 */ 160 if (sshbuf_check_sanity(buf) != 0) 161 return; 162 /* 163 * If we are a child, the free our parent to decrement its reference 164 * count and possibly free it. 165 */ 166 if (buf->parent != NULL) { 167 sshbuf_free(buf->parent); 168 buf->parent = NULL; 169 } 170 /* 171 * If we are a parent with still-extant children, then don't free just 172 * yet. The last child's call to sshbuf_free should decrement our 173 * refcount to 0 and trigger the actual free. 174 */ 175 buf->refcount--; 176 if (buf->refcount > 0) 177 return; 178 dont_free = buf->dont_free; 179 if (!buf->readonly) { 180 explicit_bzero(buf->d, buf->alloc); 181 free(buf->d); 182 } 183 explicit_bzero(buf, sizeof(*buf)); 184 if (!dont_free) 185 free(buf); 186 } 187 188 void 189 sshbuf_reset(struct sshbuf *buf) 190 { 191 u_char *d; 192 193 if (buf->readonly || buf->refcount > 1) { 194 /* Nonsensical. Just make buffer appear empty */ 195 buf->off = buf->size; 196 return; 197 } 198 if (sshbuf_check_sanity(buf) == 0) 199 explicit_bzero(buf->d, buf->alloc); 200 buf->off = buf->size = 0; 201 if (buf->alloc != SSHBUF_SIZE_INIT) { 202 if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) { 203 buf->cd = buf->d = d; 204 buf->alloc = SSHBUF_SIZE_INIT; 205 } 206 } 207 } 208 209 size_t 210 sshbuf_max_size(const struct sshbuf *buf) 211 { 212 return buf->max_size; 213 } 214 215 size_t 216 sshbuf_alloc(const struct sshbuf *buf) 217 { 218 return buf->alloc; 219 } 220 221 const struct sshbuf * 222 sshbuf_parent(const struct sshbuf *buf) 223 { 224 return buf->parent; 225 } 226 227 u_int 228 sshbuf_refcount(const struct sshbuf *buf) 229 { 230 return buf->refcount; 231 } 232 233 int 234 sshbuf_set_max_size(struct sshbuf *buf, size_t max_size) 235 { 236 size_t rlen; 237 u_char *dp; 238 int r; 239 240 SSHBUF_DBG(("set max buf = %p len = %zu", buf, max_size)); 241 if ((r = sshbuf_check_sanity(buf)) != 0) 242 return r; 243 if (max_size == buf->max_size) 244 return 0; 245 if (buf->readonly || buf->refcount > 1) 246 return SSH_ERR_BUFFER_READ_ONLY; 247 if (max_size > SSHBUF_SIZE_MAX) 248 return SSH_ERR_NO_BUFFER_SPACE; 249 /* pack and realloc if necessary */ 250 sshbuf_maybe_pack(buf, max_size < buf->size); 251 if (max_size < buf->alloc && max_size > buf->size) { 252 if (buf->size < SSHBUF_SIZE_INIT) 253 rlen = SSHBUF_SIZE_INIT; 254 else 255 rlen = roundup(buf->size, SSHBUF_SIZE_INC); 256 if (rlen > max_size) 257 rlen = max_size; 258 explicit_bzero(buf->d + buf->size, buf->alloc - buf->size); 259 SSHBUF_DBG(("new alloc = %zu", rlen)); 260 if ((dp = realloc(buf->d, rlen)) == NULL) 261 return SSH_ERR_ALLOC_FAIL; 262 buf->cd = buf->d = dp; 263 buf->alloc = rlen; 264 } 265 SSHBUF_TELL("new-max"); 266 if (max_size < buf->alloc) 267 return SSH_ERR_NO_BUFFER_SPACE; 268 buf->max_size = max_size; 269 return 0; 270 } 271 272 size_t 273 sshbuf_len(const struct sshbuf *buf) 274 { 275 if (sshbuf_check_sanity(buf) != 0) 276 return 0; 277 return buf->size - buf->off; 278 } 279 280 size_t 281 sshbuf_avail(const struct sshbuf *buf) 282 { 283 if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1) 284 return 0; 285 return buf->max_size - (buf->size - buf->off); 286 } 287 288 const u_char * 289 sshbuf_ptr(const struct sshbuf *buf) 290 { 291 if (sshbuf_check_sanity(buf) != 0) 292 return NULL; 293 return buf->cd + buf->off; 294 } 295 296 u_char * 297 sshbuf_mutable_ptr(const struct sshbuf *buf) 298 { 299 if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1) 300 return NULL; 301 return buf->d + buf->off; 302 } 303 304 int 305 sshbuf_check_reserve(const struct sshbuf *buf, size_t len) 306 { 307 int r; 308 309 if ((r = sshbuf_check_sanity(buf)) != 0) 310 return r; 311 if (buf->readonly || buf->refcount > 1) 312 return SSH_ERR_BUFFER_READ_ONLY; 313 SSHBUF_TELL("check"); 314 /* Check that len is reasonable and that max_size + available < len */ 315 if (len > buf->max_size || buf->max_size - len < buf->size - buf->off) 316 return SSH_ERR_NO_BUFFER_SPACE; 317 return 0; 318 } 319 320 int 321 sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp) 322 { 323 size_t rlen, need; 324 u_char *dp; 325 int r; 326 327 if (dpp != NULL) 328 *dpp = NULL; 329 330 SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len)); 331 if ((r = sshbuf_check_reserve(buf, len)) != 0) 332 return r; 333 /* 334 * If the requested allocation appended would push us past max_size 335 * then pack the buffer, zeroing buf->off. 336 */ 337 sshbuf_maybe_pack(buf, buf->size + len > buf->max_size); 338 SSHBUF_TELL("reserve"); 339 if (len + buf->size > buf->alloc) { 340 /* 341 * Prefer to alloc in SSHBUF_SIZE_INC units, but 342 * allocate less if doing so would overflow max_size. 343 */ 344 need = len + buf->size - buf->alloc; 345 rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC); 346 SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen)); 347 if (rlen > buf->max_size) 348 rlen = buf->alloc + need; 349 SSHBUF_DBG(("adjusted rlen %zu", rlen)); 350 if ((dp = realloc(buf->d, rlen)) == NULL) { 351 SSHBUF_DBG(("realloc fail")); 352 if (dpp != NULL) 353 *dpp = NULL; 354 return SSH_ERR_ALLOC_FAIL; 355 } 356 buf->alloc = rlen; 357 buf->cd = buf->d = dp; 358 if ((r = sshbuf_check_reserve(buf, len)) < 0) { 359 /* shouldn't fail */ 360 if (dpp != NULL) 361 *dpp = NULL; 362 return r; 363 } 364 } 365 dp = buf->d + buf->size; 366 buf->size += len; 367 SSHBUF_TELL("done"); 368 if (dpp != NULL) 369 *dpp = dp; 370 return 0; 371 } 372 373 int 374 sshbuf_consume(struct sshbuf *buf, size_t len) 375 { 376 int r; 377 378 SSHBUF_DBG(("len = %zu", len)); 379 if ((r = sshbuf_check_sanity(buf)) != 0) 380 return r; 381 if (len == 0) 382 return 0; 383 if (len > sshbuf_len(buf)) 384 return SSH_ERR_MESSAGE_INCOMPLETE; 385 buf->off += len; 386 SSHBUF_TELL("done"); 387 return 0; 388 } 389 390 int 391 sshbuf_consume_end(struct sshbuf *buf, size_t len) 392 { 393 int r; 394 395 SSHBUF_DBG(("len = %zu", len)); 396 if ((r = sshbuf_check_sanity(buf)) != 0) 397 return r; 398 if (len == 0) 399 return 0; 400 if (len > sshbuf_len(buf)) 401 return SSH_ERR_MESSAGE_INCOMPLETE; 402 buf->size -= len; 403 SSHBUF_TELL("done"); 404 return 0; 405 } 406 407
