summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--auth2-chall.c18
2 files changed, 17 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 852fa1d3f..9d2332163 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -55,6 +55,10 @@
55 [session.c] 55 [session.c]
56 disclose less information from environment files; based on input 56 disclose less information from environment files; based on input
57 from djm, and dschultz@uclink.Berkeley.EDU 57 from djm, and dschultz@uclink.Berkeley.EDU
58 - markus@cvs.openbsd.org 2002/06/26 13:55:37
59 [auth2-chall.c]
60 make sure # of response matches # of queries, fixes int overflow;
61 from ISS
58 - (djm) Require krb5 devel for RPM build w/ KrbV 62 - (djm) Require krb5 devel for RPM build w/ KrbV
59 - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai 63 - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai
60 <nalin@redhat.com> 64 <nalin@redhat.com>
@@ -1159,4 +1163,4 @@
1159 - (stevesk) entropy.c: typo in debug message 1163 - (stevesk) entropy.c: typo in debug message
1160 - (djm) ssh-keygen -i needs seeded RNG; report from markus@ 1164 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
1161 1165
1162$Id: ChangeLog,v 1.2299 2002/06/26 13:57:59 djm Exp $ 1166$Id: ChangeLog,v 1.2300 2002/06/26 13:58:39 djm Exp $
diff --git a/auth2-chall.c b/auth2-chall.c
index f35bfb2f8..e1440f47d 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */ 24 */
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); 26RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
27 27
28#include "ssh2.h" 28#include "ssh2.h"
29#include "auth.h" 29#include "auth.h"
@@ -63,6 +63,7 @@ struct KbdintAuthctxt
63 char *devices; 63 char *devices;
64 void *ctxt; 64 void *ctxt;
65 KbdintDevice *device; 65 KbdintDevice *device;
66 u_int nreq;
66}; 67};
67 68
68static KbdintAuthctxt * 69static KbdintAuthctxt *
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
90 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); 91 debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
91 kbdintctxt->ctxt = NULL; 92 kbdintctxt->ctxt = NULL;
92 kbdintctxt->device = NULL; 93 kbdintctxt->device = NULL;
94 kbdintctxt->nreq = 0;
93 95
94 return kbdintctxt; 96 return kbdintctxt;
95} 97}
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
209 KbdintAuthctxt *kbdintctxt; 211 KbdintAuthctxt *kbdintctxt;
210 char *name, *instr, **prompts; 212 char *name, *instr, **prompts;
211 int i; 213 int i;
212 u_int numprompts, *echo_on; 214 u_int *echo_on;
213 215
214 kbdintctxt = authctxt->kbdintctxt; 216 kbdintctxt = authctxt->kbdintctxt;
215 if (kbdintctxt->device->query(kbdintctxt->ctxt, 217 if (kbdintctxt->device->query(kbdintctxt->ctxt,
216 &name, &instr, &numprompts, &prompts, &echo_on)) 218 &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
217 return 0; 219 return 0;
218 220
219 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); 221 packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
220 packet_put_cstring(name); 222 packet_put_cstring(name);
221 packet_put_cstring(instr); 223 packet_put_cstring(instr);
222 packet_put_cstring(""); /* language not used */ 224 packet_put_cstring(""); /* language not used */
223 packet_put_int(numprompts); 225 packet_put_int(kbdintctxt->nreq);
224 for (i = 0; i < numprompts; i++) { 226 for (i = 0; i < kbdintctxt->nreq; i++) {
225 packet_put_cstring(prompts[i]); 227 packet_put_cstring(prompts[i]);
226 packet_put_char(echo_on[i]); 228 packet_put_char(echo_on[i]);
227 } 229 }
228 packet_send(); 230 packet_send();
229 packet_write_wait(); 231 packet_write_wait();
230 232
231 for (i = 0; i < numprompts; i++) 233 for (i = 0; i < kbdintctxt->nreq; i++)
232 xfree(prompts[i]); 234 xfree(prompts[i]);
233 xfree(prompts); 235 xfree(prompts);
234 xfree(echo_on); 236 xfree(echo_on);
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
256 258
257 authctxt->postponed = 0; /* reset */ 259 authctxt->postponed = 0; /* reset */
258 nresp = packet_get_int(); 260 nresp = packet_get_int();
261 if (nresp != kbdintctxt->nreq)
262 fatal("input_userauth_info_response: wrong number of replies");
263 if (nresp > 100)
264 fatal("input_userauth_info_response: too many replies");
259 if (nresp > 0) { 265 if (nresp > 0) {
260 response = xmalloc(nresp * sizeof(char*)); 266 response = xmalloc(nresp * sizeof(char*));
261 for (i = 0; i < nresp; i++) 267 for (i = 0; i < nresp; i++)