Fix vulnerability CVE-2016-2563 in old scp protocol.

There was a rogue sscanf("%s") with no field width limit, targeting a
stack-based buffer, and scanning a string containing untrusted data.
It occurs in the 'sink' side of the protocol, i.e. when downloading
files *from* the server.

Our own bug id for this vulnerability is 'vuln-pscp-sink-sscanf'.

diff --git a/pscp.c b/pscp.c
index 3e41454d3d4e02c5028f1cab7a83a1c951a31184..dc9e1f5018f0e40515308ede348ce8906301cb92 100644 (file)
--- a/pscp.c
+++ b/pscp.c
@@ -1528,7 +1528,7 @@ int scp_get_sink_action(struct scp_sink_action *act)
        {
            char sizestr[40];
        
-           if (sscanf(act->buf, "%lo %s %n", &act->permissions,
+            if (sscanf(act->buf, "%lo %39s %n", &act->permissions,
                        sizestr, &i) != 2)
                bump("Protocol error: Illegal file descriptor format");
            act->size = uint64_from_decimal(sizestr);