[ssh_x509] SSH X509: fucntion x509key_write has an insufficient target size for base64-encoded buffers

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Aug 16 18:29:25 EEST 2012


Dear Mr. Petrov

We are security engineers of the Swiss company AdNovurm Informatik AG 
and responsible for our customized OpenSSH called AdnSSH, which also 
features your marvelous Patch for supporting X.509 certificates.

However, after several years, we have faced a bug in the function 
x509key_writer [1], which uses an insufficient length for the uu-encoded 
destination buffer.
Thereby, the destination buffer should be at least 33-36% [2] bigger 
than the source buffer because of the base64-encoding process (call of 
uuencode).

With the goal to overcome this problem, we used a dynamic approach for 
allocating heap memory for uuencode [3].

Finally, we would appreciate your help in including this fix in your 
next patch and remain with best wishes

J. Hegglin / R. Hedayat


*[1] :  Code fragment of the function X509key_write@/openssh/ssh-x509.c*
int x509key_write(const Key *key, FILE *f) {
...
     if (ret) {
         char uu[1<<12]; /* 4096 bytes */ */* <= insufficient! */*

         n = uuencode(buffer_ptr(&b), buffer_len(&b), uu, sizeof(uu));
         ret = n > 0;
         if (ret) {
             ret = (fwrite(uu, 1, n, f) ==  n);
         }
...
}


*[2]: Base64-expansion*
[source_buffer] = bit
[destination_buffer] = bit

max(source_buffer) = 4096 *8 = 32768
min(destination_buffer) ~ (4/3) * [ (4096 * 8) + 2 ] ~ 43693

delta(destination, source) ~ 43693 - 32768 ~ 10925

expansion ~ 10925 / 32768 ~ 0.33
=================================


*[3]: Recommended fix in the function X509key_write@/openssh/ssh-x509.c*

int x509key_write(const Key *key, FILE *f) {
...
     if(ret) {
*/* AdNovum BEGIN: use heap dynamic allocated memory for uuencode */
        char *uu = NULL;  /* the buffer, uu-encoded */*

*/* we need a buffer length of at least 33-36% more the original size -> 
we use 100% more */
        size_t len = 2*buffer_len(&b);
        uu = (char*) xmalloc(len*sizeof(char));
        n = uuencode(buffer_ptr(&b), buffer_len(&b), uu, len-1);*
        /** AdNovum END: use heap dynamic allocated memory for uuencode */*

        ret = n > 0;
        if (ret) {
            ret = (fwrite(uu, 1, n, f) ==  n);
        }
*xfree(uu); /* AdNovum: cleanup */*
      }
      ...
}

-- 
AdNovum Informatik AG
Reza Hedayat, Software Engineer
dipl. Informatik-Ing. FH

Roentgenstrasse 22, CH-8005 Zurich
mailto:reza.hedayat at adnovum.ch
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, Singapore, Zurich (HQ)




More information about the ssh_x509 mailing list