- markus@cvs.openbsd.org 2002/06/26 13:55:37

     [auth2-chall.c]
     make sure # of response matches # of queries, fixes int overflow;
     from ISS

1 files changed, 12 insertions, 6 deletions

diff --git a/auth2-chall.c b/auth2-chall.c
index f35bfb2f8..e1440f47d 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
 
 #include "ssh2.h"
 #include "auth.h"
@@ -63,6 +63,7 @@ struct KbdintAuthctxt
         char *devices;
         void *ctxt;
         KbdintDevice *device;
+        u_int nreq;
 };
 
 static KbdintAuthctxt *
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
         debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
         kbdintctxt->ctxt = NULL;
         kbdintctxt->device = NULL;
+        kbdintctxt->nreq = 0;
 
         return kbdintctxt;
 }
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
         KbdintAuthctxt *kbdintctxt;
         char *name, *instr, **prompts;
         int i;
-        u_int numprompts, *echo_on;
+        u_int *echo_on;
 
         kbdintctxt = authctxt->kbdintctxt;
         if (kbdintctxt->device->query(kbdintctxt->ctxt,
-            &name, &instr, &numprompts, &prompts, &echo_on))
+            &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
                 return 0;
 
         packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
         packet_put_cstring(name);
         packet_put_cstring(instr);
         packet_put_cstring("");         /* language not used */
-        packet_put_int(numprompts);
-        for (i = 0; i < numprompts; i++) {
+        packet_put_int(kbdintctxt->nreq);
+        for (i = 0; i < kbdintctxt->nreq; i++) {
                 packet_put_cstring(prompts[i]);
                 packet_put_char(echo_on[i]);
         }
         packet_send();
         packet_write_wait();
 
-        for (i = 0; i < numprompts; i++)
+        for (i = 0; i < kbdintctxt->nreq; i++)
                 xfree(prompts[i]);
         xfree(prompts);
         xfree(echo_on);
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
 
         authctxt->postponed = 0;        /* reset */
         nresp = packet_get_int();
+        if (nresp != kbdintctxt->nreq)
+                fatal("input_userauth_info_response: wrong number of replies");
+        if (nresp > 100)
+                fatal("input_userauth_info_response: too many replies");
         if (nresp > 0) {
                 response = xmalloc(nresp * sizeof(char*));
                 for (i = 0; i < nresp; i++)