- djm@cvs.openbsd.org 2010/08/31 09:58:37

     [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c]
     [packet.h ssh-dss.c ssh-rsa.c]
     Add buffer_get_cstring() and related functions that verify that the
     string extracted from the buffer contains no embedded \0 characters*
     This prevents random (possibly malicious) crap from being appended to
     strings where it would not be noticed if the string is used with
     a string(3) function.

     Use the new API in a few sensitive places.

     * actually, we allow a single one at the end of the string for now because
     we don't know how many deployed implementations get this wrong, but don't
     count on this to remain indefinitely.

1 files changed, 5 insertions, 5 deletions

diff --git a/auth2.c b/auth2.c
index 5d5468559..95820f96f 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
+/* $OpenBSD: auth2.c,v 1.122 2010/08/31 09:58:37 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -182,7 +182,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
         Authctxt *authctxt = ctxt;
         u_int len;
         int acceptit = 0;
-        char *service = packet_get_string(&len);
+        char *service = packet_get_cstring(&len);
         packet_check_eom();
 
         if (authctxt == NULL)
@@ -221,9 +221,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         if (authctxt == NULL)
                 fatal("input_userauth_request: no authctxt");
 
-        user = packet_get_string(NULL);
-        service = packet_get_string(NULL);
-        method = packet_get_string(NULL);
+        user = packet_get_cstring(NULL);
+        service = packet_get_cstring(NULL);
+        method = packet_get_cstring(NULL);
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);