20070326

[openssh.git] / packet.c

diff --git a/packet.c b/packet.c
index fceeef6661902d3853247af97acc326150f1b6a2..7d8fab1e90d92257718c4b142cb95da5488967e7 100644 (file)
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.129 2006/03/25 18:29:35 deraadt Exp $ */
+/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -39,26 +39,38 @@
 
 #include "includes.h"
  
+#include <sys/types.h>
 #include "openbsd-compat/sys-queue.h"
-#include <netinet/in_systm.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+
+#include <netinet/in.h>
 #include <netinet/ip.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
 
 #include "xmalloc.h"
 #include "buffer.h"
 #include "packet.h"
-#include "bufaux.h"
 #include "crc32.h"
-#include "getput.h"
-
 #include "compress.h"
 #include "deattack.h"
 #include "channels.h"
-
 #include "compat.h"
 #include "ssh1.h"
 #include "ssh2.h"
-
 #include "cipher.h"
+#include "key.h"
 #include "kex.h"
 #include "mac.h"
 #include "log.h"
@@ -559,7 +571,7 @@ packet_send1(void)
        /* Add check bytes. */
        checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
            buffer_len(&outgoing_packet));
-       PUT_32BIT(buf, checksum);
+       put_u32(buf, checksum);
        buffer_append(&outgoing_packet, buf, 4);
 
 #ifdef PACKET_DEBUG
@@ -568,7 +580,7 @@ packet_send1(void)
 #endif
 
        /* Append to output. */
-       PUT_32BIT(buf, len);
+       put_u32(buf, len);
        buffer_append(&output, buf, 4);
        cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
        cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
@@ -664,7 +676,7 @@ set_newkeys(int mode)
 
 /*
  * Delayed compression for SSH2 is enabled after authentication:
- * This happans on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
+ * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
  * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
  */
 static void
@@ -679,6 +691,9 @@ packet_enable_delayed_compress(void)
         */
        after_authentication = 1;
        for (mode = 0; mode < MODE_MAX; mode++) {
+               /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
+               if (newkeys[mode] == NULL)
+                       continue;
                comp = &newkeys[mode]->comp;
                if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
                        packet_init_compression();
@@ -771,7 +786,7 @@ packet_send2_wrapped(void)
        /* packet_length includes payload, padding and padding length field */
        packet_length = buffer_len(&outgoing_packet) - 4;
        cp = buffer_ptr(&outgoing_packet);
-       PUT_32BIT(cp, packet_length);
+       put_u32(cp, packet_length);
        cp[4] = padlen;
        DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
 
@@ -788,7 +803,7 @@ packet_send2_wrapped(void)
            buffer_len(&outgoing_packet));
        /* append unencrypted MAC */
        if (mac && mac->enabled)
-               buffer_append(&output, (char *)macbuf, mac->mac_len);
+               buffer_append(&output, macbuf, mac->mac_len);
 #ifdef PACKET_DEBUG
        fprintf(stderr, "encrypted: ");
        buffer_dump(&output);
@@ -969,7 +984,7 @@ packet_read_poll1(void)
                return SSH_MSG_NONE;
        /* Get length of incoming packet. */
        cp = buffer_ptr(&input);
-       len = GET_32BIT(cp);
+       len = get_u32(cp);
        if (len < 1 + 2 + 2 || len > 256 * 1024)
                packet_disconnect("Bad packet length %u.", len);
        padded_len = (len + 8) & ~7;
@@ -988,9 +1003,16 @@ packet_read_poll1(void)
         * (C)1998 CORE-SDI, Buenos Aires Argentina
         * Ariel Futoransky(futo@core-sdi.com)
         */
-       if (!receive_context.plaintext &&
-           detect_attack(buffer_ptr(&input), padded_len) == DEATTACK_DETECTED)
-               packet_disconnect("crc32 compensation attack: network attack detected");
+       if (!receive_context.plaintext) {
+               switch (detect_attack(buffer_ptr(&input), padded_len)) {
+               case DEATTACK_DETECTED:
+                       packet_disconnect("crc32 compensation attack: "
+                           "network attack detected");
+               case DEATTACK_DOS_DETECTED:
+                       packet_disconnect("deattack denial of "
+                           "service detected");
+               }
+       }
 
        /* Decrypt data to incoming_packet. */
        buffer_clear(&incoming_packet);
@@ -1017,7 +1039,7 @@ packet_read_poll1(void)
                    len, buffer_len(&incoming_packet));
 
        cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
-       stored_checksum = GET_32BIT(cp);
+       stored_checksum = get_u32(cp);
        if (checksum != stored_checksum)
                packet_disconnect("Corrupted check bytes on input.");
        buffer_consume_end(&incoming_packet, 4);
@@ -1066,7 +1088,7 @@ packet_read_poll2(u_int32_t *seqnr_p)
                cipher_crypt(&receive_context, cp, buffer_ptr(&input),
                    block_size);
                cp = buffer_ptr(&incoming_packet);
-               packet_length = GET_32BIT(cp);
+               packet_length = get_u32(cp);
                if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
 #ifdef PACKET_DEBUG
                        buffer_dump(&incoming_packet);