diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-11-06 05:46:37 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-11-06 16:48:29 +1100 |
| commit | 010359b32659f455fddd2bd85fd7cc4d7a3b994a (patch) | |
| tree | 3e7256e7255cac73e3ab1e9e3bde697a66b60865 /servconf.c | |
| parent | efb494e81d1317209256b38b49f4280897c61e69 (diff) | |
upstream commit
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 35abec489..a18ebb597 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.298 2016/10/24 01:09:17 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.299 2016/11/06 05:46:37 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -1366,6 +1366,9 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1366 | if (options->num_allow_users >= MAX_ALLOW_USERS) | 1366 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
| 1367 | fatal("%s line %d: too many allow users.", | 1367 | fatal("%s line %d: too many allow users.", |
| 1368 | filename, linenum); | 1368 | filename, linenum); |
| 1369 | if (match_user(NULL, NULL, NULL, arg) == -1) | ||
| 1370 | fatal("%s line %d: invalid AllowUsers pattern: " | ||
| 1371 | "\"%.100s\"", filename, linenum, arg); | ||
| 1369 | if (!*activep) | 1372 | if (!*activep) |
| 1370 | continue; | 1373 | continue; |
| 1371 | options->allow_users[options->num_allow_users++] = | 1374 | options->allow_users[options->num_allow_users++] = |
| @@ -1378,6 +1381,9 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1378 | if (options->num_deny_users >= MAX_DENY_USERS) | 1381 | if (options->num_deny_users >= MAX_DENY_USERS) |
| 1379 | fatal("%s line %d: too many deny users.", | 1382 | fatal("%s line %d: too many deny users.", |
| 1380 | filename, linenum); | 1383 | filename, linenum); |
| 1384 | if (match_user(NULL, NULL, NULL, arg) == -1) | ||
| 1385 | fatal("%s line %d: invalid DenyUsers pattern: " | ||
| 1386 | "\"%.100s\"", filename, linenum, arg); | ||
| 1381 | if (!*activep) | 1387 | if (!*activep) |
| 1382 | continue; | 1388 | continue; |
| 1383 | options->deny_users[options->num_deny_users++] = | 1389 | options->deny_users[options->num_deny_users++] = |