Recently a stat(2) call was added to load_server_config() of ssh to
avoid reallocs. However, a buffer of 'st_size' length might be too
short to hold the null terminator of the string.
Add one more byte to the size, if it is sure that we can't overflow.
Gerhard
Index: usr.bin/ssh/servconf.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
retrieving revision 1.367
diff -u -p -u -p -r1.367 servconf.c
--- usr.bin/ssh/servconf.c 5 Jul 2020 23:59:45 -0000 1.367
+++ usr.bin/ssh/servconf.c 17 Jul 2020 09:27:08 -0000
@@ -2339,7 +2339,8 @@ load_server_config(const char *filename,
sshbuf_reset(conf);
/* grow buffer, so realloc is avoided for large config files */
if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
- (r = sshbuf_allocate(conf, st.st_size)) != 0)
+ st.st_size < LONG_MAX &&
+ (r = sshbuf_allocate(conf, st.st_size + 1)) != 0)
fatal("%s: allocate failed: %s", __func__, ssh_err(r));
while (getline(&line, &linesize, f) != -1) {
lineno++;
