diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-10 09:13:30 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-10 19:15:35 +1000 |
commit | 0f3958c1e6ffb8ea4ba27e2a97a00326fce23246 (patch) | |
tree | f2538c652ca620a254578a088ff0f5eb2e36d9dd /auth2-gss.c | |
parent | c74ae8e7c45f325f3387abd48fa7dfef07a08069 (diff) |
upstream: kerberos/gssapi fixes for buffer removal
OpenBSD-Commit-ID: 1cdf56fec95801e4563c47f21696f04cd8b60c4c
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index a6f2a7125..47308c5ce 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.27 2018/07/09 21:37:55 markus Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.28 2018/07/10 09:13:30 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -204,15 +204,18 @@ input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) | |||
204 | gss_buffer_desc recv_tok; | 204 | gss_buffer_desc recv_tok; |
205 | OM_uint32 maj_status; | 205 | OM_uint32 maj_status; |
206 | int r; | 206 | int r; |
207 | u_char *p; | ||
208 | size_t len; | ||
207 | 209 | ||
208 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 210 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
209 | fatal("No authentication or GSSAPI context"); | 211 | fatal("No authentication or GSSAPI context"); |
210 | 212 | ||
211 | gssctxt = authctxt->methoddata; | 213 | gssctxt = authctxt->methoddata; |
212 | if ((r = sshpkt_get_string(ssh, | 214 | if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || |
213 | &recv_tok.value, &recv_tok.length)) != 0 || | ||
214 | (r = sshpkt_get_end(ssh)) != 0) | 215 | (r = sshpkt_get_end(ssh)) != 0) |
215 | fatal("%s: %s", __func__, ssh_err(r)); | 216 | fatal("%s: %s", __func__, ssh_err(r)); |
217 | recv_tok.value = p; | ||
218 | recv_tok.length = len; | ||
216 | 219 | ||
217 | /* Push the error token into GSSAPI to see what it says */ | 220 | /* Push the error token into GSSAPI to see what it says */ |
218 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, | 221 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, |
@@ -240,7 +243,7 @@ static int | |||
240 | input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) | 243 | input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) |
241 | { | 244 | { |
242 | Authctxt *authctxt = ssh->authctxt; | 245 | Authctxt *authctxt = ssh->authctxt; |
243 | int authenticated; | 246 | int r, authenticated; |
244 | const char *displayname; | 247 | const char *displayname; |
245 | 248 | ||
246 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 249 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
@@ -278,16 +281,20 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) | |||
278 | struct sshbuf *b; | 281 | struct sshbuf *b; |
279 | gss_buffer_desc mic, gssbuf; | 282 | gss_buffer_desc mic, gssbuf; |
280 | const char *displayname; | 283 | const char *displayname; |
284 | u_char *p; | ||
285 | size_t len; | ||
281 | 286 | ||
282 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 287 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
283 | fatal("No authentication or GSSAPI context"); | 288 | fatal("No authentication or GSSAPI context"); |
284 | 289 | ||
285 | gssctxt = authctxt->methoddata; | 290 | gssctxt = authctxt->methoddata; |
286 | 291 | ||
287 | if ((r = sshpkt_get_string(ssh, &mic.value, &mic.length)) != 0) | 292 | if ((r = sshpkt_get_string(ssh, &p, &len)) != 0) |
288 | fatal("%s: %s", __func__, ssh_err(r)); | 293 | fatal("%s: %s", __func__, ssh_err(r)); |
289 | if ((b = sshbuf_new()) == NULL) | 294 | if ((b = sshbuf_new()) == NULL) |
290 | fatal("%s: sshbuf_new failed", __func__); | 295 | fatal("%s: sshbuf_new failed", __func__); |
296 | mic.value = p; | ||
297 | mic.length = len; | ||
291 | ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, | 298 | ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, |
292 | "gssapi-with-mic"); | 299 | "gssapi-with-mic"); |
293 | 300 | ||