2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
new file mode 100644
index 0000000000..df64a140d3
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -0,0 +1,99 @@
+From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
+From: Yuanjie Huang <yuanjie.huang@windriver.com>
+Date: Wed, 24 Aug 2016 03:15:43 +0000
+Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
+Pointer arithmatic results in implementation defined signed integer
+type, so that 's - src' in strlcpy and others may trigger signed overflow.
+In case of compilation by gcc or clang with -ftrapv option, the overflow
+would lead to program abort.
+Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ openbsd-compat/strlcat.c | 8 ++++++--
+ openbsd-compat/strlcpy.c | 8 ++++++--
+ openbsd-compat/strnlen.c | 8 ++++++--
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
+index bcc1b61..e758ebf 100644
+--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
+@@ -23,6 +23,7 @@
+ 
+ #include <sys/types.h>
+ #include <string.h>
+#include <stdint.h>
+ 
+ /*
+  * Appends src to string dst of size siz (unlike strncat, siz is the
+@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
+                s++;
+        }
+        *d = '\0';
+-
+-       return(dlen + (s - src));       /* count does not include NUL */
+        /*
+        * Cast pointers to unsigned type before calculation, to avoid signed
+        * overflow when the string ends where the MSB has changed.
+        */
+       return (dlen + ((uintptr_t)s - (uintptr_t)src));        /* count does not include NUL */
+ }
+ 
+ #endif /* !HAVE_STRLCAT */
+diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
+index b4b1b60..b06f374 100644
+--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
+@@ -23,6 +23,7 @@
+ 
+ #include <sys/types.h>
+ #include <string.h>
+#include <stdint.h>
+ 
+ /*
+  * Copy src to string dst of size siz.  At most siz-1 characters
+@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
+                while (*s++)
+                        ;
+        }
+-
+-       return(s - src - 1);    /* count does not include NUL */
+        /*
+        * Cast pointers to unsigned type before calculation, to avoid signed
+        * overflow when the string ends where the MSB has changed.
+        */
+       return ((uintptr_t)s - (uintptr_t)src - 1);     /* count does not include NUL */
+ }
+ 
+ #endif /* !HAVE_STRLCPY */
+diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
+index 93d5155..9b8de5d 100644
+--- a/openbsd-compat/strnlen.c
+++ b/openbsd-compat/strnlen.c
+@@ -23,6 +23,7 @@
+ #include <sys/types.h>
+ 
+ #include <string.h>
+#include <stdint.h>
+ 
+ size_t
+ strnlen(const char *str, size_t maxlen)
+@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
+ 
+        for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
+                ;
+-
+-       return (size_t)(cp - str);
+        /*
+        * Cast pointers to unsigned type before calculation, to avoid signed
+        * overflow when the string ends where the MSB has changed.
+        */
+       return (size_t)((uintptr_t)cp - (uintptr_t)str);
+ }
+ #endif
+-- 
+1.9.1
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index b31972649d..039b0ffdde 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://run-ptest \
           file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
           file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
+           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
           "
 PAM_SRC_URI = "file://sshd"

diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch new file mode 100644 index 0000000000..df64a140d3 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
@@ -0,0 +1,99 @@
		1	From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
		2	From: Yuanjie Huang <yuanjie.huang@windriver.com>
		3	Date: Wed, 24 Aug 2016 03:15:43 +0000
		4	Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
		5
		6	Pointer arithmatic results in implementation defined signed integer
		7	type, so that 's - src' in strlcpy and others may trigger signed overflow.
		8	In case of compilation by gcc or clang with -ftrapv option, the overflow
		9	would lead to program abort.
		10
		11	Upstream-status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
		12
		13	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		14	---
		15	openbsd-compat/strlcat.c \| 8 ++++++--
		16	openbsd-compat/strlcpy.c \| 8 ++++++--
		17	openbsd-compat/strnlen.c \| 8 ++++++--
		18	3 files changed, 18 insertions(+), 6 deletions(-)
		19
		20	diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
		21	index bcc1b61..e758ebf 100644
		22	--- a/openbsd-compat/strlcat.c
		23	+++ b/openbsd-compat/strlcat.c
		24	@@ -23,6 +23,7 @@
		25
		26	#include <sys/types.h>
		27	#include <string.h>
		28	+#include <stdint.h>
		29
		30	/*
		31	* Appends src to string dst of size siz (unlike strncat, siz is the
		32	@@ -55,8 +56,11 @@ strlcat(char dst, const char src, size_t siz)
		33	s++;
		34	}
		35	*d = '\0';
		36	-
		37	- return(dlen + (s - src)); /* count does not include NUL */
		38	+ /*
		39	+ * Cast pointers to unsigned type before calculation, to avoid signed
		40	+ * overflow when the string ends where the MSB has changed.
		41	+ */
		42	+ return (dlen + ((uintptr_t)s - (uintptr_t)src)); /* count does not include NUL */
		43	}
		44
		45	#endif /* !HAVE_STRLCAT */
		46	diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
		47	index b4b1b60..b06f374 100644
		48	--- a/openbsd-compat/strlcpy.c
		49	+++ b/openbsd-compat/strlcpy.c
		50	@@ -23,6 +23,7 @@
		51
		52	#include <sys/types.h>
		53	#include <string.h>
		54	+#include <stdint.h>
		55
		56	/*
		57	* Copy src to string dst of size siz. At most siz-1 characters
		58	@@ -51,8 +52,11 @@ strlcpy(char dst, const char src, size_t siz)
		59	while (*s++)
		60	;
		61	}
		62	-
		63	- return(s - src - 1); /* count does not include NUL */
		64	+ /*
		65	+ * Cast pointers to unsigned type before calculation, to avoid signed
		66	+ * overflow when the string ends where the MSB has changed.
		67	+ */
		68	+ return ((uintptr_t)s - (uintptr_t)src - 1); /* count does not include NUL */
		69	}
		70
		71	#endif /* !HAVE_STRLCPY */
		72	diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
		73	index 93d5155..9b8de5d 100644
		74	--- a/openbsd-compat/strnlen.c
		75	+++ b/openbsd-compat/strnlen.c
		76	@@ -23,6 +23,7 @@
		77	#include <sys/types.h>
		78
		79	#include <string.h>
		80	+#include <stdint.h>
		81
		82	size_t
		83	strnlen(const char *str, size_t maxlen)
		84	@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
		85
		86	for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
		87	;
		88	-
		89	- return (size_t)(cp - str);
		90	+ /*
		91	+ * Cast pointers to unsigned type before calculation, to avoid signed
		92	+ * overflow when the string ends where the MSB has changed.
		93	+ */
		94	+ return (size_t)((uintptr_t)cp - (uintptr_t)str);
		95	}
		96	#endif
		97	--
		98	1.9.1
		99


diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb index b31972649d..039b0ffdde 100644 --- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24	file://run-ptest \	24	file://run-ptest \
25	file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \	25	file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
26	file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \	26	file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
		27	file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
27	"	28	"
28		29
29	PAM_SRC_URI = "file://sshd"	30	PAM_SRC_URI = "file://sshd"