Reorder calloc arguments

The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.

Spotted with Ben

Reorder calloc arguments

The first argument should be the amount, the second argument should be the
element size. Fixing this also silences some gcc compiler warnings for
portable.

Spotted with Benny Baumann (BenBE at geshi dot org).

ok djm@

show more ...

Extend sshbuf validation

Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would resul

Extend sshbuf validation

Multiple sshbuf structs can be linked through a parent/child relationship.
Make sure that a single sshbuf cannot be its own parent. If this would ever
happen, it would result in reference counting issues.

This is a cheap way of testing this with very little overhead. It does not
detect A->B->A linkages though for performance reason and the fact that it
takes a programming error for this to occur anyway.

Authored with Benny Baumann (BenBE at geshi dot org).

ok djm@

show more ...

Use freezero for better readability

It has the same meaning as the current pair of calling explicit_bzero
and free. Spotted with Benny Baumann (BenBE at geshi dot org).

ok djm@

Fix typo in comment

Spotted with Benny Baumann (BenBE at geshi dot org).

ok djm@

make struct sshbuf private and remove an unused field; ok dtucker

revert previous; it was broken (spotted by Theo)

make SSHBUF_DBG/SSHBUF_TELL (off by default and only enabled via
#define) dump to stderr rather than stdout

two defensive changes from Tobias Stoeckmann via GHPR287

enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.

In sshbuf_reset(), if the

two defensive changes from Tobias Stoeckmann via GHPR287

enforce stricter invarient for sshbuf_set_parent() - never allow
a buffer to have a previously-set parent changed.

In sshbuf_reset(), if the reallocation fails, then zero the entire
buffer and not the (potentially smaller) default initial alloc size.

show more ...

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argume

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

show more ...

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

show more ...

make grandparent-parent-child sshbuf chains robust to use-after-free
faults if the ancestors are freed before the descendents. Nothing in
OpenSSH uses this deallocation pattern. Reported by Jann Horn

remove legacy buffer API emulation layer; ok djm@

unconditionally zero init size of buffer; ok markus@ deraadt@

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone

Switch to recallocarray() for a few operations. Both growth and shrinkage
are handled safely, and there also is no need for preallocation dances.
Future changes in this area will be less error prone.
Review and one bug found by markus

show more ...

sshbuf_consume: reset empty buffer; ok djm@

split allocation out of sshbuf_reserve() into a separate
sshbuf_allocate() function; ok markus@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

use explicit_bzero() more liberally in the buffer code; ok deraadt

Remove NULL-checks before sshbuf_free().

ok djm@

some more bzero->explicit_bzero, from Michael McConville

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

unblock SIGSEGV before raising it
ok djm

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the

New buffer API; the first installment of the conversion/replacement
of OpenSSH's internals to make them usable as a standalone library.

This includes a set of wrappers to make it compatible with the
existing buffer API so replacement can occur incrementally.

With and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review.

show more ...