diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2010-01-08 18:49:16 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2010-01-08 18:49:16 +1100 |
| commit | 70d87693f4880c7acd6f50bf2aa8697b722024e7 (patch) | |
| tree | 3fadd1ca7b88c9e598b6e081e9dff8e06d61fe93 | |
| parent | ab79169e2971ca4c9f98e0a98ac9f0e797b5eb18 (diff) | |
- djm@cvs.openbsd.org 2009/11/20 03:24:07
[misc.c]
correct off-by-one in percent_expand(): we would fatal() when trying
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
work. Note that nothing in OpenSSH actually uses close to this limit at
present. bz#1607 from Jan.Pechanec AT Sun.COM
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | misc.c | 18 |
2 files changed, 15 insertions, 9 deletions
| @@ -81,6 +81,12 @@ | |||
| 81 | - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 | 81 | - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 |
| 82 | [sshconnect2.c] | 82 | [sshconnect2.c] |
| 83 | Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ | 83 | Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ |
| 84 | - djm@cvs.openbsd.org 2009/11/20 03:24:07 | ||
| 85 | [misc.c] | ||
| 86 | correct off-by-one in percent_expand(): we would fatal() when trying | ||
| 87 | to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually | ||
| 88 | work. Note that nothing in OpenSSH actually uses close to this limit at | ||
| 89 | present. bz#1607 from Jan.Pechanec AT Sun.COM | ||
| 84 | 90 | ||
| 85 | 20091226 | 91 | 20091226 |
| 86 | - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 | 92 | - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */ | 1 | /* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. |
| @@ -597,11 +597,11 @@ char * | |||
| 597 | percent_expand(const char *string, ...) | 597 | percent_expand(const char *string, ...) |
| 598 | { | 598 | { |
| 599 | #define EXPAND_MAX_KEYS 16 | 599 | #define EXPAND_MAX_KEYS 16 |
| 600 | u_int num_keys, i, j; | ||
| 600 | struct { | 601 | struct { |
| 601 | const char *key; | 602 | const char *key; |
| 602 | const char *repl; | 603 | const char *repl; |
| 603 | } keys[EXPAND_MAX_KEYS]; | 604 | } keys[EXPAND_MAX_KEYS]; |
| 604 | u_int num_keys, i, j; | ||
| 605 | char buf[4096]; | 605 | char buf[4096]; |
| 606 | va_list ap; | 606 | va_list ap; |
| 607 | 607 | ||
| @@ -613,13 +613,12 @@ percent_expand(const char *string, ...) | |||
| 613 | break; | 613 | break; |
| 614 | keys[num_keys].repl = va_arg(ap, char *); | 614 | keys[num_keys].repl = va_arg(ap, char *); |
| 615 | if (keys[num_keys].repl == NULL) | 615 | if (keys[num_keys].repl == NULL) |
| 616 | fatal("percent_expand: NULL replacement"); | 616 | fatal("%s: NULL replacement", __func__); |
| 617 | } | 617 | } |
| 618 | if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL) | ||
| 619 | fatal("%s: too many keys", __func__); | ||
| 618 | va_end(ap); | 620 | va_end(ap); |
| 619 | 621 | ||
| 620 | if (num_keys >= EXPAND_MAX_KEYS) | ||
| 621 | fatal("percent_expand: too many keys"); | ||
| 622 | |||
| 623 | /* Expand string */ | 622 | /* Expand string */ |
| 624 | *buf = '\0'; | 623 | *buf = '\0'; |
| 625 | for (i = 0; *string != '\0'; string++) { | 624 | for (i = 0; *string != '\0'; string++) { |
| @@ -627,23 +626,24 @@ percent_expand(const char *string, ...) | |||
| 627 | append: | 626 | append: |
| 628 | buf[i++] = *string; | 627 | buf[i++] = *string; |
| 629 | if (i >= sizeof(buf)) | 628 | if (i >= sizeof(buf)) |
| 630 | fatal("percent_expand: string too long"); | 629 | fatal("%s: string too long", __func__); |
| 631 | buf[i] = '\0'; | 630 | buf[i] = '\0'; |
| 632 | continue; | 631 | continue; |
| 633 | } | 632 | } |
| 634 | string++; | 633 | string++; |
| 634 | /* %% case */ | ||
| 635 | if (*string == '%') | 635 | if (*string == '%') |
| 636 | goto append; | 636 | goto append; |
| 637 | for (j = 0; j < num_keys; j++) { | 637 | for (j = 0; j < num_keys; j++) { |
| 638 | if (strchr(keys[j].key, *string) != NULL) { | 638 | if (strchr(keys[j].key, *string) != NULL) { |
| 639 | i = strlcat(buf, keys[j].repl, sizeof(buf)); | 639 | i = strlcat(buf, keys[j].repl, sizeof(buf)); |
| 640 | if (i >= sizeof(buf)) | 640 | if (i >= sizeof(buf)) |
| 641 | fatal("percent_expand: string too long"); | 641 | fatal("%s: string too long", __func__); |
| 642 | break; | 642 | break; |
| 643 | } | 643 | } |
| 644 | } | 644 | } |
| 645 | if (j >= num_keys) | 645 | if (j >= num_keys) |
| 646 | fatal("percent_expand: unknown key %%%c", *string); | 646 | fatal("%s: unknown key %%%c", __func__, *string); |
| 647 | } | 647 | } |
| 648 | return (xstrdup(buf)); | 648 | return (xstrdup(buf)); |
| 649 | #undef EXPAND_MAX_KEYS | 649 | #undef EXPAND_MAX_KEYS |