diff options
| author |   dtucker <dtucker@openbsd.org> | 2020-02-18 08:58:33 +0000 |
|---|---|---|
| committer | dtucker <dtucker@openbsd.org> | 2020-02-18 08:58:33 +0000 |
| commit | b0acf2e11a9313f64804d2a232ba535ca25298a4 (patch) | |
| tree | 4212dadf99dd97f86eb9eded7f8768ee59d570ae /usr.bin/ssh/ssh-add.c | |
| parent | Detect and prevent simple configuration loops when using ProxyJump. (diff) | |
| download | wireguard-openbsd-b0acf2e11a9313f64804d2a232ba535ca25298a4.tar.xz wireguard-openbsd-b0acf2e11a9313f64804d2a232ba535ca25298a4.zip | |
Ensure that the key lifetime provided fits within the values allowed by
the wire format (u32). Prevents integer wraparound of the timeout values.
bz#3119, ok markus@ djm@
Diffstat (limited to 'usr.bin/ssh/ssh-add.c')
| -rw-r--r-- | usr.bin/ssh/ssh-add.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index 6631aedb027..eac8fafb946 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.152 2020/02/06 22:30:54 naddy Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.153 2020/02/18 08:58:33 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -83,7 +83,7 @@ static char *default_files[] = { static int fingerprint_hash = SSH_FP_HASH_DEFAULT; /* Default lifetime (0 == forever) */ -static int lifetime = 0; +static long lifetime = 0; /* User has to confirm key use */ static int confirm = 0; @@ -321,7 +321,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, filename, comment); if (lifetime != 0) { fprintf(stderr, - "Lifetime set to %d seconds\n", lifetime); + "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { fprintf(stderr, "The user must confirm " @@ -377,7 +377,7 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, fprintf(stderr, "Certificate added: %s (%s)\n", certpath, private->cert->key_id); if (lifetime != 0) { - fprintf(stderr, "Lifetime set to %d seconds\n", + fprintf(stderr, "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { @@ -564,7 +564,7 @@ load_resident_keys(int agent_fd, const char *skprovider, int qflag) sshkey_type(keys[i]), fp); if (lifetime != 0) { fprintf(stderr, - "Lifetime set to %d seconds\n", lifetime); + "Lifetime set to %ld seconds\n", lifetime); } if (confirm != 0) { fprintf(stderr, "The user must confirm " @@ -713,7 +713,8 @@ main(int argc, char **argv) pkcs11provider = optarg; break; case 't': - if ((lifetime = convtime(optarg)) == -1) { + if ((lifetime = convtime(optarg)) == -1 || + lifetime < 0 || lifetime > UINT32_MAX) { fprintf(stderr, "Invalid lifetime\n"); ret = 1; goto done; |