release/src/router/dropbear/buffer.c

   1 /*
   2  * Dropbear SSH
   3  *
   4  * Copyright (c) 2002,2003 Matt Johnston
   5  * All rights reserved.
   6  *
   7  * Permission is hereby granted, free of charge, to any person obtaining a copy
   8  * of this software and associated documentation files (the "Software"), to deal
   9  * in the Software without restriction, including without limitation the rights
  10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  11  * copies of the Software, and to permit persons to whom the Software is
  12  * furnished to do so, subject to the following conditions:
  13  *
  14  * The above copyright notice and this permission notice shall be included in
  15  * all copies or substantial portions of the Software.
  16  *
  17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  20  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  23  * SOFTWARE. */
  24
  25 /* Buffer handling routines, designed to avoid overflows/using invalid data */
  26
  27 #include "includes.h"
  28 #include "dbutil.h"
  29 #include "buffer.h"
  30
  31 /* Prevent integer overflows when incrementing buffer position/length.
  32  * Calling functions should check arguments first, but this provides a
  33  * backstop */
  34 #define BUF_MAX_INCR 1000000000
  35 #define BUF_MAX_SIZE 1000000000
  36
  37 /* avoid excessively large numbers, > ~8192 bits */
  38 #define BUF_MAX_MPINT (8240 / 8)
  39
  40 /* Create (malloc) a new buffer of size */
  41 buffer* buf_new(unsigned int size) {
  42
  43         buffer* buf;
  44
  45         if (size > BUF_MAX_SIZE) {
  46                 dropbear_exit("buf->size too big");
  47         }
  48
  49         buf = (buffer*)m_malloc(sizeof(buffer)+size);
  50
  51         if (size > 0) {
  52                 buf->data = (unsigned char*)buf + sizeof(buffer);
  53         } else {
  54                 buf->data = NULL;
  55         }
  56
  57         buf->size = size;
  58
  59         return buf;
  60
  61 }
  62
  63 /* free the buffer's data and the buffer itself */
  64 void buf_free(buffer* buf) {
  65
  66         m_free(buf);
  67 }
  68
  69 /* overwrite the contents of the buffer to clear it */
  70 void buf_burn(buffer* buf) {
  71
  72         m_burn(buf->data, buf->size);
  73
  74 }
  75
  76 /* resize a buffer, pos and len will be repositioned if required when
  77  * downsizing */
  78 buffer* buf_resize(buffer *buf, unsigned int newsize) {
  79
  80         if (newsize > BUF_MAX_SIZE) {
  81                 dropbear_exit("buf->size too big");
  82         }
  83
  84         buf = m_realloc(buf, sizeof(buffer)+newsize);
  85         buf->data = (unsigned char*)buf + sizeof(buffer);
  86         buf->size = newsize;
  87         buf->len = MIN(newsize, buf->len);
  88         buf->pos = MIN(newsize, buf->pos);
  89         return buf;
  90 }
  91
  92 /* Create a copy of buf, allocating required memory etc. */
  93 /* The new buffer is sized the same as the length of the source buffer. */
  94 buffer* buf_newcopy(buffer* buf) {
  95
  96         buffer* ret;
  97
  98         ret = buf_new(buf->len);
  99         ret->len = buf->len;
 100         if (buf->len > 0) {
 101                 memcpy(ret->data, buf->data, buf->len);
 102         }
 103         return ret;
 104 }
 105
 106 /* Set the length of the buffer */
 107 void buf_setlen(buffer* buf, unsigned int len) {
 108         if (len > buf->size) {
 109                 dropbear_exit("Bad buf_setlen");
 110         }
 111         buf->len = len;
 112 }
 113
 114 /* Increment the length of the buffer */
 115 void buf_incrlen(buffer* buf, unsigned int incr) {
 116         if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
 117                 dropbear_exit("Bad buf_incrlen");
 118         }
 119         buf->len += incr;
 120 }
 121 /* Set the position of the buffer */
 122 void buf_setpos(buffer* buf, unsigned int pos) {
 123
 124         if (pos > buf->len) {
 125                 dropbear_exit("Bad buf_setpos");
 126         }
 127         buf->pos = pos;
 128 }
 129
 130 /* increment the position by incr, increasing the buffer length if required */
 131 void buf_incrwritepos(buffer* buf, unsigned int incr) {
 132         if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
 133                 dropbear_exit("Bad buf_incrwritepos");
 134         }
 135         buf->pos += incr;
 136         if (buf->pos > buf->len) {
 137                 buf->len = buf->pos;
 138         }
 139 }
 140
 141 /* increment the position by incr, negative values are allowed, to
 142  * decrement the pos*/
 143 void buf_incrpos(buffer* buf,  int incr) {
 144         if (incr > BUF_MAX_INCR ||
 145                         (unsigned int)((int)buf->pos + incr) > buf->len
 146                         || ((int)buf->pos + incr) < 0) {
 147                 dropbear_exit("Bad buf_incrpos");
 148         }
 149         buf->pos += incr;
 150 }
 151
 152 /* Get a byte from the buffer and increment the pos */
 153 unsigned char buf_getbyte(buffer* buf) {
 154
 155         /* This check is really just ==, but the >= allows us to check for the
 156          * bad case of pos > len, which should _never_ happen. */
 157         if (buf->pos >= buf->len) {
 158                 dropbear_exit("Bad buf_getbyte");
 159         }
 160         return buf->data[buf->pos++];
 161 }
 162
 163 /* Get a bool from the buffer and increment the pos */
 164 unsigned char buf_getbool(buffer* buf) {
 165
 166         unsigned char b;
 167         b = buf_getbyte(buf);
 168         if (b != 0)
 169                 b = 1;
 170         return b;
 171 }
 172
 173 /* put a byte, incrementing the length if required */
 174 void buf_putbyte(buffer* buf, unsigned char val) {
 175
 176         if (buf->pos >= buf->len) {
 177                 buf_incrlen(buf, 1);
 178         }
 179         buf->data[buf->pos] = val;
 180         buf->pos++;
 181 }
 182
 183 /* returns an in-place pointer to the buffer, checking that
 184  * the next len bytes from that position can be used */
 185 unsigned char* buf_getptr(buffer* buf, unsigned int len) {
 186
 187         if (buf->pos + len > buf->len) {
 188                 dropbear_exit("Bad buf_getptr");
 189         }
 190         return &buf->data[buf->pos];
 191 }
 192
 193 /* like buf_getptr, but checks against total size, not used length.
 194  * This allows writing past the used length, but not past the size */
 195 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
 196
 197         if (buf->pos + len > buf->size) {
 198                 dropbear_exit("Bad buf_getwriteptr");
 199         }
 200         return &buf->data[buf->pos];
 201 }
 202
 203 /* Return a null-terminated string, it is malloced, so must be free()ed
 204  * Note that the string isn't checked for null bytes, hence the retlen
 205  * may be longer than what is returned by strlen */
 206 char* buf_getstring(buffer* buf, unsigned int *retlen) {
 207
 208         unsigned int len;
 209         char* ret;
 210         len = buf_getint(buf);
 211         if (len > MAX_STRING_LEN) {
 212                 dropbear_exit("String too long");
 213         }
 214
 215         if (retlen != NULL) {
 216                 *retlen = len;
 217         }
 218         ret = m_malloc(len+1);
 219         memcpy(ret, buf_getptr(buf, len), len);
 220         buf_incrpos(buf, len);
 221         ret[len] = '\0';
 222
 223         return ret;
 224 }
 225
 226 /* Return a string as a newly allocated buffer */
 227 buffer * buf_getstringbuf(buffer *buf) {
 228         buffer *ret = NULL;
 229         unsigned int len = buf_getint(buf);
 230         if (len > MAX_STRING_LEN) {
 231                 dropbear_exit("String too long");
 232         }
 233         ret = buf_new(len);
 234         memcpy(buf_getwriteptr(ret, len), buf_getptr(buf, len), len);
 235         buf_incrpos(buf, len);
 236         buf_incrlen(ret, len);
 237         return ret;
 238 }
 239
 240 /* Just increment the buffer position the same as if we'd used buf_getstring,
 241  * but don't bother copying/malloc()ing for it */
 242 void buf_eatstring(buffer *buf) {
 243
 244         buf_incrpos( buf, buf_getint(buf) );
 245 }
 246
 247 /* Get an uint32 from the buffer and increment the pos */
 248 unsigned int buf_getint(buffer* buf) {
 249         unsigned int ret;
 250
 251         LOAD32H(ret, buf_getptr(buf, 4));
 252         buf_incrpos(buf, 4);
 253         return ret;
 254 }
 255
 256 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */
 257 void buf_putint(buffer* buf, int unsigned val) {
 258
 259         STORE32H(val, buf_getwriteptr(buf, 4));
 260         buf_incrwritepos(buf, 4);
 261
 262 }
 263
 264 /* put a SSH style string into the buffer, increasing buffer len if required */
 265 void buf_putstring(buffer* buf, const char* str, unsigned int len) {
 266
 267         buf_putint(buf, len);
 268         buf_putbytes(buf, (const unsigned char*)str, len);
 269
 270 }
 271
 272 /* puts an entire buffer as a SSH string. ignore pos of buf_str. */
 273 void buf_putbufstring(buffer *buf, const buffer* buf_str) {
 274         buf_putstring(buf, (const char*)buf_str->data, buf_str->len);
 275 }
 276
 277 /* put the set of len bytes into the buffer, incrementing the pos, increasing
 278  * len if required */
 279 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
 280         memcpy(buf_getwriteptr(buf, len), bytes, len);
 281         buf_incrwritepos(buf, len);
 282 }
 283
 284
 285 /* for our purposes we only need positive (or 0) numbers, so will
 286  * fail if we get negative numbers */
 287 void buf_putmpint(buffer* buf, mp_int * mp) {
 288
 289         unsigned int len, pad = 0;
 290         TRACE2(("enter buf_putmpint"))
 291
 292         dropbear_assert(mp != NULL);
 293
 294         if (SIGN(mp) == MP_NEG) {
 295                 dropbear_exit("negative bignum");
 296         }
 297
 298         /* zero check */
 299         if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
 300                 len = 0;
 301         } else {
 302                 /* SSH spec requires padding for mpints with the MSB set, this code
 303                  * implements it */
 304                 len = mp_count_bits(mp);
 305                 /* if the top bit of MSB is set, we need to pad */
 306                 pad = (len%8 == 0) ? 1 : 0;
 307                 len = len / 8 + 1; /* don't worry about rounding, we need it for
 308                                                           padding anyway when len%8 == 0 */
 309
 310         }
 311
 312         /* store the length */
 313         buf_putint(buf, len);
 314
 315         /* store the actual value */
 316         if (len > 0) {
 317                 if (pad) {
 318                         buf_putbyte(buf, 0x00);
 319                 }
 320                 if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
 321                         dropbear_exit("mpint error");
 322                 }
 323                 buf_incrwritepos(buf, len-pad);
 324         }
 325
 326         TRACE2(("leave buf_putmpint"))
 327 }
 328
 329 /* Retrieve an mp_int from the buffer.
 330  * Will fail for -ve since they shouldn't be required here.
 331  * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 332 int buf_getmpint(buffer* buf, mp_int* mp) {
 333
 334         unsigned int len;
 335         len = buf_getint(buf);
 336
 337         if (len == 0) {
 338                 mp_zero(mp);
 339                 return DROPBEAR_SUCCESS;
 340         }
 341
 342         if (len > BUF_MAX_MPINT) {
 343                 return DROPBEAR_FAILURE;
 344         }
 345
 346         /* check for negative */
 347         if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
 348                 return DROPBEAR_FAILURE;
 349         }
 350
 351         if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
 352                 return DROPBEAR_FAILURE;
 353         }
 354
 355         buf_incrpos(buf, len);
 356         return DROPBEAR_SUCCESS;
 357 }