diff options
author | Damien Miller <djm@mindrot.org> | 2002-06-26 23:58:39 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2002-06-26 23:58:39 +1000 |
commit | fb7fd9580ca8ff02d857e05c55670f3b6fed024e (patch) | |
tree | 1d8375f5804a03e6bae2c14a65a46391764bc1d1 /auth2-chall.c | |
parent | 7868202d56f72b5f833b454f0756b301bcf58190 (diff) |
- markus@cvs.openbsd.org 2002/06/26 13:55:37
[auth2-chall.c]
make sure # of response matches # of queries, fixes int overflow;
from ISS
Diffstat (limited to 'auth2-chall.c')
-rw-r--r-- | auth2-chall.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/auth2-chall.c b/auth2-chall.c index f35bfb2f8..e1440f47d 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -23,7 +23,7 @@ | |||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | */ | 24 | */ |
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); | 26 | RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $"); |
27 | 27 | ||
28 | #include "ssh2.h" | 28 | #include "ssh2.h" |
29 | #include "auth.h" | 29 | #include "auth.h" |
@@ -63,6 +63,7 @@ struct KbdintAuthctxt | |||
63 | char *devices; | 63 | char *devices; |
64 | void *ctxt; | 64 | void *ctxt; |
65 | KbdintDevice *device; | 65 | KbdintDevice *device; |
66 | u_int nreq; | ||
66 | }; | 67 | }; |
67 | 68 | ||
68 | static KbdintAuthctxt * | 69 | static KbdintAuthctxt * |
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs) | |||
90 | debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); | 91 | debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); |
91 | kbdintctxt->ctxt = NULL; | 92 | kbdintctxt->ctxt = NULL; |
92 | kbdintctxt->device = NULL; | 93 | kbdintctxt->device = NULL; |
94 | kbdintctxt->nreq = 0; | ||
93 | 95 | ||
94 | return kbdintctxt; | 96 | return kbdintctxt; |
95 | } | 97 | } |
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt) | |||
209 | KbdintAuthctxt *kbdintctxt; | 211 | KbdintAuthctxt *kbdintctxt; |
210 | char *name, *instr, **prompts; | 212 | char *name, *instr, **prompts; |
211 | int i; | 213 | int i; |
212 | u_int numprompts, *echo_on; | 214 | u_int *echo_on; |
213 | 215 | ||
214 | kbdintctxt = authctxt->kbdintctxt; | 216 | kbdintctxt = authctxt->kbdintctxt; |
215 | if (kbdintctxt->device->query(kbdintctxt->ctxt, | 217 | if (kbdintctxt->device->query(kbdintctxt->ctxt, |
216 | &name, &instr, &numprompts, &prompts, &echo_on)) | 218 | &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) |
217 | return 0; | 219 | return 0; |
218 | 220 | ||
219 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); | 221 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); |
220 | packet_put_cstring(name); | 222 | packet_put_cstring(name); |
221 | packet_put_cstring(instr); | 223 | packet_put_cstring(instr); |
222 | packet_put_cstring(""); /* language not used */ | 224 | packet_put_cstring(""); /* language not used */ |
223 | packet_put_int(numprompts); | 225 | packet_put_int(kbdintctxt->nreq); |
224 | for (i = 0; i < numprompts; i++) { | 226 | for (i = 0; i < kbdintctxt->nreq; i++) { |
225 | packet_put_cstring(prompts[i]); | 227 | packet_put_cstring(prompts[i]); |
226 | packet_put_char(echo_on[i]); | 228 | packet_put_char(echo_on[i]); |
227 | } | 229 | } |
228 | packet_send(); | 230 | packet_send(); |
229 | packet_write_wait(); | 231 | packet_write_wait(); |
230 | 232 | ||
231 | for (i = 0; i < numprompts; i++) | 233 | for (i = 0; i < kbdintctxt->nreq; i++) |
232 | xfree(prompts[i]); | 234 | xfree(prompts[i]); |
233 | xfree(prompts); | 235 | xfree(prompts); |
234 | xfree(echo_on); | 236 | xfree(echo_on); |
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
256 | 258 | ||
257 | authctxt->postponed = 0; /* reset */ | 259 | authctxt->postponed = 0; /* reset */ |
258 | nresp = packet_get_int(); | 260 | nresp = packet_get_int(); |
261 | if (nresp != kbdintctxt->nreq) | ||
262 | fatal("input_userauth_info_response: wrong number of replies"); | ||
263 | if (nresp > 100) | ||
264 | fatal("input_userauth_info_response: too many replies"); | ||
259 | if (nresp > 0) { | 265 | if (nresp > 0) { |
260 | response = xmalloc(nresp * sizeof(char*)); | 266 | response = xmalloc(nresp * sizeof(char*)); |
261 | for (i = 0; i < nresp; i++) | 267 | for (i = 0; i < nresp; i++) |