diff --git a/ChangeLog b/ChangeLog index 852fa1d3f..9d2332163 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,10 @@ [session.c] disclose less information from environment files; based on input from djm, and dschultz@uclink.Berkeley.EDU + - markus@cvs.openbsd.org 2002/06/26 13:55:37 + [auth2-chall.c] + make sure # of response matches # of queries, fixes int overflow; + from ISS - (djm) Require krb5 devel for RPM build w/ KrbV - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai @@ -1159,4 +1163,4 @@ - (stevesk) entropy.c: typo in debug message - (djm) ssh-keygen -i needs seeded RNG; report from markus@ -$Id: ChangeLog,v 1.2299 2002/06/26 13:57:59 djm Exp $ +$Id: ChangeLog,v 1.2300 2002/06/26 13:58:39 djm Exp $ diff --git a/auth2-chall.c b/auth2-chall.c index f35bfb2f8..e1440f47d 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $"); #include "ssh2.h" #include "auth.h" @@ -63,6 +63,7 @@ struct KbdintAuthctxt char *devices; void *ctxt; KbdintDevice *device; + u_int nreq; }; static KbdintAuthctxt * @@ -90,6 +91,7 @@ kbdint_alloc(const char *devs) debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); kbdintctxt->ctxt = NULL; kbdintctxt->device = NULL; + kbdintctxt->nreq = 0; return kbdintctxt; } @@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt) KbdintAuthctxt *kbdintctxt; char *name, *instr, **prompts; int i; - u_int numprompts, *echo_on; + u_int *echo_on; kbdintctxt = authctxt->kbdintctxt; if (kbdintctxt->device->query(kbdintctxt->ctxt, - &name, &instr, &numprompts, &prompts, &echo_on)) + &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) return 0; packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_put_cstring(name); packet_put_cstring(instr); packet_put_cstring(""); /* language not used */ - packet_put_int(numprompts); - for (i = 0; i < numprompts; i++) { + packet_put_int(kbdintctxt->nreq); + for (i = 0; i < kbdintctxt->nreq; i++) { packet_put_cstring(prompts[i]); packet_put_char(echo_on[i]); } packet_send(); packet_write_wait(); - for (i = 0; i < numprompts; i++) + for (i = 0; i < kbdintctxt->nreq; i++) xfree(prompts[i]); xfree(prompts); xfree(echo_on); @@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp != kbdintctxt->nreq) + fatal("input_userauth_info_response: wrong number of replies"); + if (nresp > 100) + fatal("input_userauth_info_response: too many replies"); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++)