summaryrefslogtreecommitdiff
path: root/auth2-chall.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2002-06-26 23:58:39 +1000
committerDamien Miller <djm@mindrot.org>2002-06-26 23:58:39 +1000
commitfb7fd9580ca8ff02d857e05c55670f3b6fed024e (patch)
tree1d8375f5804a03e6bae2c14a65a46391764bc1d1 /auth2-chall.c
parent7868202d56f72b5f833b454f0756b301bcf58190 (diff)
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c] make sure # of response matches # of queries, fixes int overflow; from ISS
Diffstat (limited to 'auth2-chall.c')
-rw-r--r--auth2-chall.c18
1 files changed, 12 insertions, 6 deletions
diff --git a/auth2-chall.c b/auth2-chall.c
index f35bfb2f8..e1440f47d 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */ 24 */
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); 26RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
27 27
28#include "ssh2.h" 28#include "ssh2.h"
29#include "auth.h" 29#include "auth.h"
@@ -63,6 +63,7 @@ struct KbdintAuthctxt
63 char *devices; 63 char *devices;
64 void *ctxt; 64 void *ctxt;
65 KbdintDevice *device; 65 KbdintDevice *device;
66 u_int nreq;
66}; 67};
67 68
68static KbdintAuthctxt * 69static KbdintAuthctxt *
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
90 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); 91 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
91 kbdintctxt->ctxt = NULL; 92 kbdintctxt->ctxt = NULL;
92 kbdintctxt->device = NULL; 93 kbdintctxt->device = NULL;
94 kbdintctxt->nreq = 0;
93 95
94 return kbdintctxt; 96 return kbdintctxt;
95} 97}
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
209 KbdintAuthctxt *kbdintctxt; 211 KbdintAuthctxt *kbdintctxt;
210 char *name, *instr, **prompts; 212 char *name, *instr, **prompts;
211 int i; 213 int i;
212 u_int numprompts, *echo_on; 214 u_int *echo_on;
213 215
214 kbdintctxt = authctxt->kbdintctxt; 216 kbdintctxt = authctxt->kbdintctxt;
215 if (kbdintctxt->device->query(kbdintctxt->ctxt, 217 if (kbdintctxt->device->query(kbdintctxt->ctxt,
216 &name, &instr, &numprompts, &prompts, &echo_on)) 218 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
217 return 0; 219 return 0;
218 220
219 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); 221 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
220 packet_put_cstring(name); 222 packet_put_cstring(name);
221 packet_put_cstring(instr); 223 packet_put_cstring(instr);
222 packet_put_cstring(""); /* language not used */ 224 packet_put_cstring(""); /* language not used */
223 packet_put_int(numprompts); 225 packet_put_int(kbdintctxt->nreq);
224 for (i = 0; i < numprompts; i++) { 226 for (i = 0; i < kbdintctxt->nreq; i++) {
225 packet_put_cstring(prompts[i]); 227 packet_put_cstring(prompts[i]);
226 packet_put_char(echo_on[i]); 228 packet_put_char(echo_on[i]);
227 } 229 }
228 packet_send(); 230 packet_send();
229 packet_write_wait(); 231 packet_write_wait();
230 232
231 for (i = 0; i < numprompts; i++) 233 for (i = 0; i < kbdintctxt->nreq; i++)
232 xfree(prompts[i]); 234 xfree(prompts[i]);
233 xfree(prompts); 235 xfree(prompts);
234 xfree(echo_on); 236 xfree(echo_on);
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
256 258
257 authctxt->postponed = 0; /* reset */ 259 authctxt->postponed = 0; /* reset */
258 nresp = packet_get_int(); 260 nresp = packet_get_int();
261 if (nresp != kbdintctxt->nreq)
262 fatal("input_userauth_info_response: wrong number of replies");
263 if (nresp > 100)
264 fatal("input_userauth_info_response: too many replies");
259 if (nresp > 0) { 265 if (nresp > 0) {
260 response = xmalloc(nresp * sizeof(char*)); 266 response = xmalloc(nresp * sizeof(char*));
261 for (i = 0; i < nresp; i++) 267 for (i = 0; i < nresp; i++)