diff options
| author | Damien Miller <djm@mindrot.org> | 2010-08-31 22:36:39 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-08-31 22:36:39 +1000 |
| commit | da108ece6843f1268aa36d7c8ed0030dc53acd15 (patch) | |
| tree | 66638a1716374a8d1ac8ece95dceea56ce231a5c /auth-options.c | |
| parent | d96546f5b0f7c57395a338dbb9ac3ac5a48b77fa (diff) | |
- djm@cvs.openbsd.org 2010/08/31 09:58:37
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c]
[packet.h ssh-dss.c ssh-rsa.c]
Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.
Use the new API in a few sensitive places.
* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/auth-options.c b/auth-options.c index a7040247f..a9c26add6 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.52 2010/05/20 23:46:02 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.53 2010/08/31 09:58:37 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -444,7 +444,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
| 444 | buffer_append(&c, optblob, optblob_len); | 444 | buffer_append(&c, optblob, optblob_len); |
| 445 | 445 | ||
| 446 | while (buffer_len(&c) > 0) { | 446 | while (buffer_len(&c) > 0) { |
| 447 | if ((name = buffer_get_string_ret(&c, &nlen)) == NULL || | 447 | if ((name = buffer_get_cstring_ret(&c, &nlen)) == NULL || |
| 448 | (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { | 448 | (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { |
| 449 | error("Certificate options corrupt"); | 449 | error("Certificate options corrupt"); |
| 450 | goto out; | 450 | goto out; |
| @@ -479,7 +479,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
| 479 | } | 479 | } |
| 480 | if (!found && (which & OPTIONS_CRITICAL) != 0) { | 480 | if (!found && (which & OPTIONS_CRITICAL) != 0) { |
| 481 | if (strcmp(name, "force-command") == 0) { | 481 | if (strcmp(name, "force-command") == 0) { |
| 482 | if ((command = buffer_get_string_ret(&data, | 482 | if ((command = buffer_get_cstring_ret(&data, |
| 483 | &clen)) == NULL) { | 483 | &clen)) == NULL) { |
| 484 | error("Certificate constraint \"%s\" " | 484 | error("Certificate constraint \"%s\" " |
| 485 | "corrupt", name); | 485 | "corrupt", name); |
| @@ -500,7 +500,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | |||
| 500 | found = 1; | 500 | found = 1; |
| 501 | } | 501 | } |
| 502 | if (strcmp(name, "source-address") == 0) { | 502 | if (strcmp(name, "source-address") == 0) { |
| 503 | if ((allowed = buffer_get_string_ret(&data, | 503 | if ((allowed = buffer_get_cstring_ret(&data, |
| 504 | &clen)) == NULL) { | 504 | &clen)) == NULL) { |
| 505 | error("Certificate constraint " | 505 | error("Certificate constraint " |
| 506 | "\"%s\" corrupt", name); | 506 | "\"%s\" corrupt", name); |