- Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>

1999-11-19 07:56:21 +11:00 · 1999-11-19 07:56:21 +11:00 · 5bbbd364c9
parent 6ee9564901
commit 5bbbd364c9
3 changed files with 23 additions and 20 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
 19991119
 - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
 19991118
 - Merged OpenBSD CVS changes
   - [scp.c] foregroundproc() in scp
--- a/3
+++ b/3
@ -1,4 +1,5 @@
-This is the Unix port of OpenBSD's excellent OpenSSH.
+This is the port of OpenBSD's excellent OpenSSH to Linux and other
 Unices.
 OpenSSH is based on the last free version of Tatu Ylonen's SSH with
 all patent-encumbered algorithms removed, all known security bugs
--- a/sshd.c
+++ b/sshd.c
@ -18,7 +18,7 @@ agent connections.
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $");
+RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
 static int pamconv(int num_msg, const struct pam_message **msg,
                   struct pam_response **resp, void *appdata_ptr)
 {
-  int count = 0;
+  struct pam_response *reply;
-  struct pam_response *reply = NULL;
+  int count;
  size_t msg_len;
  char *p;
  /* PAM will free this later */
  reply = malloc(num_msg * sizeof(*reply));
@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
        reply[count].resp_retcode = PAM_SUCCESS;
        reply[count].resp = xstrdup("");
-	if (msg[count]->msg == NULL) break;
+	if (msg[count]->msg == NULL)
 	    break;
 	debug("Adding PAM message: %s", msg[count]->msg);
-	if (pamconv_msg == NULL)
+
 	msg_len = strlen(msg[count]->msg);
 	if (pamconv_msg)
 	{
-	  pamconv_msg = malloc(strlen(msg[count]->msg) + 2);
+	  size_t n = strlen(pamconv_msg);
-	  
+	  pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
-	  if (pamconv_msg == NULL)
+	  p = pamconv_msg + n;
 	    return PAM_CONV_ERR;
 	  strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
 	  pamconv_msg[strlen(msg[count]->msg)] = '\n';
 	  pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
 	} else
 	{
 	  pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);
 	  strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
 	  pamconv_msg[strlen(pamconv_msg)] = '\n';
 	  pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
 	}
 	else
 	  pamconv_msg = p = xmalloc(msg_len + 2);
 	memcpy(p, msg[count]->msg, msg_len);
 	p[msg_len] = '\n';
 	p[msg_len + 1] = '\0';
        break;
      case PAM_PROMPT_ECHO_ON: