From 5bbbd364c993ef1d51ba77e40bb56fc017d8ea78 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Nov 1999 07:56:21 +1100 Subject: [PATCH] - Merged PAM buffer overrun patch from Chip Salzenberg --- ChangeLog | 3 +++ README | 3 ++- sshd.c | 37 ++++++++++++++++++------------------- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index de4f4a704..f9889b4d8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + 19991118 - Merged OpenBSD CVS changes - [scp.c] foregroundproc() in scp diff --git a/README b/README index 06080b0dd..c9427da27 100644 --- a/README +++ b/README @@ -1,4 +1,5 @@ -This is the Unix port of OpenBSD's excellent OpenSSH. +This is the port of OpenBSD's excellent OpenSSH to Linux and other +Unices. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs diff --git a/sshd.c b/sshd.c index 9e33f69f7..e3a94bf13 100644 --- a/sshd.c +++ b/sshd.c @@ -18,7 +18,7 @@ agent connections. */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $"); +RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -152,8 +152,10 @@ char *pamconv_msg = NULL; static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { - int count = 0; - struct pam_response *reply = NULL; + struct pam_response *reply; + int count; + size_t msg_len; + char *p; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); @@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg, reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); - if (msg[count]->msg == NULL) break; + if (msg[count]->msg == NULL) + break; debug("Adding PAM message: %s", msg[count]->msg); - if (pamconv_msg == NULL) + + msg_len = strlen(msg[count]->msg); + if (pamconv_msg) { - pamconv_msg = malloc(strlen(msg[count]->msg) + 2); - - if (pamconv_msg == NULL) - return PAM_CONV_ERR; - - strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg)); - pamconv_msg[strlen(msg[count]->msg)] = '\n'; - pamconv_msg[strlen(msg[count]->msg) + 1] = '\0'; - } else - { - pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2); - strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg)); - pamconv_msg[strlen(pamconv_msg)] = '\n'; - pamconv_msg[strlen(pamconv_msg) + 1] = '\0'; + size_t n = strlen(pamconv_msg); + pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2); + p = pamconv_msg + n; } + else + pamconv_msg = p = xmalloc(msg_len + 2); + memcpy(p, msg[count]->msg, msg_len); + p[msg_len] = '\n'; + p[msg_len + 1] = '\0'; break; case PAM_PROMPT_ECHO_ON: