[auth2-chall.c]
     make sure # of response matches # of queries, fixes int overflow;
     from ISS
This commit is contained in:
Damien Miller 2002-06-26 23:58:39 +10:00
parent 7868202d56
commit fb7fd9580c
2 changed files with 17 additions and 7 deletions

View File

@ -55,6 +55,10 @@
[session.c] [session.c]
disclose less information from environment files; based on input disclose less information from environment files; based on input
from djm, and dschultz@uclink.Berkeley.EDU from djm, and dschultz@uclink.Berkeley.EDU
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c]
make sure # of response matches # of queries, fixes int overflow;
from ISS
- (djm) Require krb5 devel for RPM build w/ KrbV - (djm) Require krb5 devel for RPM build w/ KrbV
- (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
<nalin@redhat.com> <nalin@redhat.com>
@ -1159,4 +1163,4 @@
- (stevesk) entropy.c: typo in debug message - (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@ - (djm) ssh-keygen -i needs seeded RNG; report from markus@
$Id: ChangeLog,v 1.2299 2002/06/26 13:57:59 djm Exp $ $Id: ChangeLog,v 1.2300 2002/06/26 13:58:39 djm Exp $

View File

@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
#include "ssh2.h" #include "ssh2.h"
#include "auth.h" #include "auth.h"
@ -63,6 +63,7 @@ struct KbdintAuthctxt
char *devices; char *devices;
void *ctxt; void *ctxt;
KbdintDevice *device; KbdintDevice *device;
u_int nreq;
}; };
static KbdintAuthctxt * static KbdintAuthctxt *
@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
kbdintctxt->ctxt = NULL; kbdintctxt->ctxt = NULL;
kbdintctxt->device = NULL; kbdintctxt->device = NULL;
kbdintctxt->nreq = 0;
return kbdintctxt; return kbdintctxt;
} }
@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
KbdintAuthctxt *kbdintctxt; KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts; char *name, *instr, **prompts;
int i; int i;
u_int numprompts, *echo_on; u_int *echo_on;
kbdintctxt = authctxt->kbdintctxt; kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt, if (kbdintctxt->device->query(kbdintctxt->ctxt,
&name, &instr, &numprompts, &prompts, &echo_on)) &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
return 0; return 0;
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name); packet_put_cstring(name);
packet_put_cstring(instr); packet_put_cstring(instr);
packet_put_cstring(""); /* language not used */ packet_put_cstring(""); /* language not used */
packet_put_int(numprompts); packet_put_int(kbdintctxt->nreq);
for (i = 0; i < numprompts; i++) { for (i = 0; i < kbdintctxt->nreq; i++) {
packet_put_cstring(prompts[i]); packet_put_cstring(prompts[i]);
packet_put_char(echo_on[i]); packet_put_char(echo_on[i]);
} }
packet_send(); packet_send();
packet_write_wait(); packet_write_wait();
for (i = 0; i < numprompts; i++) for (i = 0; i < kbdintctxt->nreq; i++)
xfree(prompts[i]); xfree(prompts[i]);
xfree(prompts); xfree(prompts);
xfree(echo_on); xfree(echo_on);
@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
authctxt->postponed = 0; /* reset */ authctxt->postponed = 0; /* reset */
nresp = packet_get_int(); nresp = packet_get_int();
if (nresp != kbdintctxt->nreq)
fatal("input_userauth_info_response: wrong number of replies");
if (nresp > 100)
fatal("input_userauth_info_response: too many replies");
if (nresp > 0) { if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*)); response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++) for (i = 0; i < nresp; i++)