3 files changed, 23 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index de4f4a704..f9889b4d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+19991119
+ - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
 19991118
 - Merged OpenBSD CVS changes
   - [scp.c] foregroundproc() in scp
diff --git a/README b/README
index 06080b0dd..c9427da27 100644
--- a/README
+++ b/README
@@ -1,4 +1,5 @@
-This is the Unix port of OpenBSD's excellent OpenSSH.
+This is the port of OpenBSD's excellent OpenSSH to Linux and other
+Unices.
 OpenSSH is based on the last free version of Tatu Ylonen's SSH with
 all patent-encumbered algorithms removed, all known security bugs
diff --git a/sshd.c b/sshd.c
index 9e33f69f7..e3a94bf13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
 */
 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $");
+RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
 static int pamconv(int num_msg, const struct pam_message **msg,
                   struct pam_response **resp, void *appdata_ptr)
 {
-  int count = 0;
+  struct pam_response *reply;
-  struct pam_response *reply = NULL;
+  int count;
+  size_t msg_len;
+  char *p;
  /* PAM will free this later */
  reply = malloc(num_msg * sizeof(*reply));
@@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
        reply[count].resp_retcode = PAM_SUCCESS;
        reply[count].resp = xstrdup("");
        
-        if (msg[count]->msg == NULL) break;
+        if (msg[count]->msg == NULL)
+            break;
        debug("Adding PAM message: %s", msg[count]->msg);
-        if (pamconv_msg == NULL)
-        {
+        msg_len = strlen(msg[count]->msg);
-          pamconv_msg = malloc(strlen(msg[count]->msg) + 2);
+        if (pamconv_msg)
-          
-          if (pamconv_msg == NULL)
-            return PAM_CONV_ERR;
-            
-          strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
-          pamconv_msg[strlen(msg[count]->msg)] = '\n';
-          pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
-        } else
        {
-          pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);
+          size_t n = strlen(pamconv_msg);
-          strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
+          pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
-          pamconv_msg[strlen(pamconv_msg)] = '\n';
+          p = pamconv_msg + n;
-          pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
        }
+        else
+          pamconv_msg = p = xmalloc(msg_len + 2);
+        memcpy(p, msg[count]->msg, msg_len);
+        p[msg_len] = '\n';
+        p[msg_len + 1] = '\0';
        break;
      case PAM_PROMPT_ECHO_ON:

diff --git a/ChangeLog b/ChangeLog index de4f4a704..f9889b4d8 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,6 @@
		1	19991119
		2	- Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
		3
1	19991118	4	19991118
2	- Merged OpenBSD CVS changes	5	- Merged OpenBSD CVS changes
3	- [scp.c] foregroundproc() in scp	6	- [scp.c] foregroundproc() in scp


diff --git a/README b/README index 06080b0dd..c9427da27 100644 --- a/README +++ b/README
@@ -1,4 +1,5 @@
1	This is the Unix port of OpenBSD's excellent OpenSSH.	1	This is the port of OpenBSD's excellent OpenSSH to Linux and other
		2	Unices.
2		3
3	OpenSSH is based on the last free version of Tatu Ylonen's SSH with	4	OpenSSH is based on the last free version of Tatu Ylonen's SSH with
4	all patent-encumbered algorithms removed, all known security bugs	5	all patent-encumbered algorithms removed, all known security bugs


diff --git a/sshd.c b/sshd.c index 9e33f69f7..e3a94bf13 100644 --- a/sshd.c +++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
18	*/	18	*/
19		19
20	#include "includes.h"	20	#include "includes.h"
21	RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $");	21	RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $");
22		22
23	#include "xmalloc.h"	23	#include "xmalloc.h"
24	#include "rsa.h"	24	#include "rsa.h"
@@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
152	static int pamconv(int num_msg, const struct pam_message **msg,	152	static int pamconv(int num_msg, const struct pam_message **msg,
153	struct pam_response *resp, void appdata_ptr)	153	struct pam_response *resp, void appdata_ptr)
154	{	154	{
155	int count = 0;	155	struct pam_response *reply;
156	struct pam_response *reply = NULL;	156	int count;
		157	size_t msg_len;
		158	char *p;
157		159
158	/* PAM will free this later */	160	/* PAM will free this later */
159	reply = malloc(num_msg * sizeof(*reply));	161	reply = malloc(num_msg * sizeof(*reply));
@@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
178	reply[count].resp_retcode = PAM_SUCCESS;	180	reply[count].resp_retcode = PAM_SUCCESS;
179	reply[count].resp = xstrdup("");	181	reply[count].resp = xstrdup("");
180		182
181	if (msg[count]->msg == NULL) break;	183	if (msg[count]->msg == NULL)
		184	break;
182	debug("Adding PAM message: %s", msg[count]->msg);	185	debug("Adding PAM message: %s", msg[count]->msg);
183	if (pamconv_msg == NULL)	186
184	{	187	msg_len = strlen(msg[count]->msg);
185	pamconv_msg = malloc(strlen(msg[count]->msg) + 2);	188	if (pamconv_msg)
186
187	if (pamconv_msg == NULL)
188	return PAM_CONV_ERR;
189
190	strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
191	pamconv_msg[strlen(msg[count]->msg)] = '\n';
192	pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
193	} else
194	{	189	{
195	pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);	190	size_t n = strlen(pamconv_msg);
196	strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));	191	pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
197	pamconv_msg[strlen(pamconv_msg)] = '\n';	192	p = pamconv_msg + n;
198	pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
199	}	193	}
		194	else
		195	pamconv_msg = p = xmalloc(msg_len + 2);
		196	memcpy(p, msg[count]->msg, msg_len);
		197	p[msg_len] = '\n';
		198	p[msg_len + 1] = '\0';
200	break;	199	break;
201		200
202	case PAM_PROMPT_ECHO_ON:	201	case PAM_PROMPT_ECHO_ON: