simon-git: putty (main): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Thu Apr 28 13:16:17 BST 2022 

TL;DR:
  7b0292b2 Fix translation of legacy key format *again*.
  42dcd465 ssh2_scan_kexinits: dynamically allocate server_hostkeys[].

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: main
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2022-04-28 13:16:17

commit 7b0292b2c359ab37811d658c4afe49d721b6253d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=7b0292b2c359ab37811d658c4afe49d721b6253d;hp=93fb65af6139db3dad4d34d6d8bab002a8ea0136
Author: Simon Tatham <anakin at pobox.com>
Date:   Thu Apr 28 12:50:00 2022 +0100

    Fix translation of legacy key format *again*.
    
    As well as eliminating the null-pointer dereference, I also now
    realise that the format-translation code depended on leaving the final
    translated string in 'otherstr' in order to pass the host key check
    afterwards (if they match).
    
    I've also now realised that this only applies to *SSH-1* RSA keys, so
    it's even more obsolete than I thought before. Perhaps I should just
    remove this code instead of spending all this effort on fixing it. But
    I've done the fix now, so I'll commit it, and then maybe we can remove
    it afterwards (and have a working version of it available to resurrect
    if ever needed!).

 windows/storage.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

commit 42dcd465ab19d0dab1cc081b5f7b35c60be2577b
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=42dcd465ab19d0dab1cc081b5f7b35c60be2577b;hp=7b0292b2c359ab37811d658c4afe49d721b6253d
Author: Simon Tatham <anakin at pobox.com>
Date:   Thu Apr 28 13:02:00 2022 +0100

    ssh2_scan_kexinits: dynamically allocate server_hostkeys[].
    
    In commit 7d44e35bb3780c0 I introduced a bug: we were providing an
    array of MAXKEXLIST ints to ssh2_scan_kexinits() to write a list of
    server-supplied host keys into, and when MAXKEXLIST stopped being a
    thing, I mindlessly replaced it with an array dynamically allocated to
    the number of host key types we'd offered the server.
    
    But we return a list of host key types the _server_ offered _us_ (and
    that we can speak at all), which isn't necessarily the same thing. In
    particular, if you deliberately ask to cache a new host key type from
    the specials menu, we send a KEXINIT offering just _one_ host key
    type, namely the one you've asked for. But that loop still writes down
    all the key types it gets back from the server, which is (almost
    certainly) more than one. So the array overflows.
    
    In that situation we don't really need the returned array of key types
    at all, but it's easier to just make it work than to add conditionals.
    Replaced it with a dynamically grown array in the usual sort of way.

 ssh/transport2.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

More information about the tartarus-commits mailing list