summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2010-01-08 18:49:16 +1100
committerDarren Tucker <dtucker@zip.com.au>2010-01-08 18:49:16 +1100
commit70d87693f4880c7acd6f50bf2aa8697b722024e7 (patch)
tree3fadd1ca7b88c9e598b6e081e9dff8e06d61fe93
parentab79169e2971ca4c9f98e0a98ac9f0e797b5eb18 (diff)
- djm@cvs.openbsd.org 2009/11/20 03:24:07
[misc.c] correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 from Jan.Pechanec AT Sun.COM
-rw-r--r--ChangeLog6
-rw-r--r--misc.c18
2 files changed, 15 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index b677213f8..7a2a0e322 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -81,6 +81,12 @@
81 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 81 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
82 [sshconnect2.c] 82 [sshconnect2.c]
83 Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ 83 Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
84 - djm@cvs.openbsd.org 2009/11/20 03:24:07
85 [misc.c]
86 correct off-by-one in percent_expand(): we would fatal() when trying
87 to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
88 work. Note that nothing in OpenSSH actually uses close to this limit at
89 present. bz#1607 from Jan.Pechanec AT Sun.COM
84 90
8520091226 9120091226
86 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 92 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
diff --git a/misc.c b/misc.c
index f0f1fd841..21db00a13 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */ 1/* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved. 4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -597,11 +597,11 @@ char *
597percent_expand(const char *string, ...) 597percent_expand(const char *string, ...)
598{ 598{
599#define EXPAND_MAX_KEYS 16 599#define EXPAND_MAX_KEYS 16
600 u_int num_keys, i, j;
600 struct { 601 struct {
601 const char *key; 602 const char *key;
602 const char *repl; 603 const char *repl;
603 } keys[EXPAND_MAX_KEYS]; 604 } keys[EXPAND_MAX_KEYS];
604 u_int num_keys, i, j;
605 char buf[4096]; 605 char buf[4096];
606 va_list ap; 606 va_list ap;
607 607
@@ -613,13 +613,12 @@ percent_expand(const char *string, ...)
613 break; 613 break;
614 keys[num_keys].repl = va_arg(ap, char *); 614 keys[num_keys].repl = va_arg(ap, char *);
615 if (keys[num_keys].repl == NULL) 615 if (keys[num_keys].repl == NULL)
616 fatal("percent_expand: NULL replacement"); 616 fatal("%s: NULL replacement", __func__);
617 } 617 }
618 if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL)
619 fatal("%s: too many keys", __func__);
618 va_end(ap); 620 va_end(ap);
619 621
620 if (num_keys >= EXPAND_MAX_KEYS)
621 fatal("percent_expand: too many keys");
622
623 /* Expand string */ 622 /* Expand string */
624 *buf = '\0'; 623 *buf = '\0';
625 for (i = 0; *string != '\0'; string++) { 624 for (i = 0; *string != '\0'; string++) {
@@ -627,23 +626,24 @@ percent_expand(const char *string, ...)
627 append: 626 append:
628 buf[i++] = *string; 627 buf[i++] = *string;
629 if (i >= sizeof(buf)) 628 if (i >= sizeof(buf))
630 fatal("percent_expand: string too long"); 629 fatal("%s: string too long", __func__);
631 buf[i] = '\0'; 630 buf[i] = '\0';
632 continue; 631 continue;
633 } 632 }
634 string++; 633 string++;
634 /* %% case */
635 if (*string == '%') 635 if (*string == '%')
636 goto append; 636 goto append;
637 for (j = 0; j < num_keys; j++) { 637 for (j = 0; j < num_keys; j++) {
638 if (strchr(keys[j].key, *string) != NULL) { 638 if (strchr(keys[j].key, *string) != NULL) {
639 i = strlcat(buf, keys[j].repl, sizeof(buf)); 639 i = strlcat(buf, keys[j].repl, sizeof(buf));
640 if (i >= sizeof(buf)) 640 if (i >= sizeof(buf))
641 fatal("percent_expand: string too long"); 641 fatal("%s: string too long", __func__);
642 break; 642 break;
643 } 643 }
644 } 644 }
645 if (j >= num_keys) 645 if (j >= num_keys)
646 fatal("percent_expand: unknown key %%%c", *string); 646 fatal("%s: unknown key %%%c", __func__, *string);
647 } 647 }
648 return (xstrdup(buf)); 648 return (xstrdup(buf));
649#undef EXPAND_MAX_KEYS 649#undef EXPAND_MAX_KEYS