diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth2-chall.c | 18 |
2 files changed, 17 insertions, 7 deletions
@@ -55,6 +55,10 @@ | |||
55 | [session.c] | 55 | [session.c] |
56 | disclose less information from environment files; based on input | 56 | disclose less information from environment files; based on input |
57 | from djm, and dschultz@uclink.Berkeley.EDU | 57 | from djm, and dschultz@uclink.Berkeley.EDU |
58 | - markus@cvs.openbsd.org 2002/06/26 13:55:37 | ||
59 | [auth2-chall.c] | ||
60 | make sure # of response matches # of queries, fixes int overflow; | ||
61 | from ISS | ||
58 | - (djm) Require krb5 devel for RPM build w/ KrbV | 62 | - (djm) Require krb5 devel for RPM build w/ KrbV |
59 | - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai | 63 | - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai |
60 | <nalin@redhat.com> | 64 | <nalin@redhat.com> |
@@ -1159,4 +1163,4 @@ | |||
1159 | - (stevesk) entropy.c: typo in debug message | 1163 | - (stevesk) entropy.c: typo in debug message |
1160 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ | 1164 | - (djm) ssh-keygen -i needs seeded RNG; report from markus@ |
1161 | 1165 | ||
1162 | $Id: ChangeLog,v 1.2299 2002/06/26 13:57:59 djm Exp $ | 1166 | $Id: ChangeLog,v 1.2300 2002/06/26 13:58:39 djm Exp $ |
diff --git a/auth2-chall.c b/auth2-chall.c index f35bfb2f8..e1440f47d 100644 --- a/auth2-chall.c +++ b/auth2-chall.c | |||
@@ -23,7 +23,7 @@ | |||
23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 23 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 | */ | 24 | */ |
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); | 26 | RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $"); |
27 | 27 | ||
28 | #include "ssh2.h" | 28 | #include "ssh2.h" |
29 | #include "auth.h" | 29 | #include "auth.h" |
@@ -63,6 +63,7 @@ struct KbdintAuthctxt | |||
63 | char *devices; | 63 | char *devices; |
64 | void *ctxt; | 64 | void *ctxt; |
65 | KbdintDevice *device; | 65 | KbdintDevice *device; |
66 | u_int nreq; | ||
66 | }; | 67 | }; |
67 | 68 | ||
68 | static KbdintAuthctxt * | 69 | static KbdintAuthctxt * |
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs) | |||
90 | debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); | 91 | debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); |
91 | kbdintctxt->ctxt = NULL; | 92 | kbdintctxt->ctxt = NULL; |
92 | kbdintctxt->device = NULL; | 93 | kbdintctxt->device = NULL; |
94 | kbdintctxt->nreq = 0; | ||
93 | 95 | ||
94 | return kbdintctxt; | 96 | return kbdintctxt; |
95 | } | 97 | } |
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt) | |||
209 | KbdintAuthctxt *kbdintctxt; | 211 | KbdintAuthctxt *kbdintctxt; |
210 | char *name, *instr, **prompts; | 212 | char *name, *instr, **prompts; |
211 | int i; | 213 | int i; |
212 | u_int numprompts, *echo_on; | 214 | u_int *echo_on; |
213 | 215 | ||
214 | kbdintctxt = authctxt->kbdintctxt; | 216 | kbdintctxt = authctxt->kbdintctxt; |
215 | if (kbdintctxt->device->query(kbdintctxt->ctxt, | 217 | if (kbdintctxt->device->query(kbdintctxt->ctxt, |
216 | &name, &instr, &numprompts, &prompts, &echo_on)) | 218 | &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) |
217 | return 0; | 219 | return 0; |
218 | 220 | ||
219 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); | 221 | packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); |
220 | packet_put_cstring(name); | 222 | packet_put_cstring(name); |
221 | packet_put_cstring(instr); | 223 | packet_put_cstring(instr); |
222 | packet_put_cstring(""); /* language not used */ | 224 | packet_put_cstring(""); /* language not used */ |
223 | packet_put_int(numprompts); | 225 | packet_put_int(kbdintctxt->nreq); |
224 | for (i = 0; i < numprompts; i++) { | 226 | for (i = 0; i < kbdintctxt->nreq; i++) { |
225 | packet_put_cstring(prompts[i]); | 227 | packet_put_cstring(prompts[i]); |
226 | packet_put_char(echo_on[i]); | 228 | packet_put_char(echo_on[i]); |
227 | } | 229 | } |
228 | packet_send(); | 230 | packet_send(); |
229 | packet_write_wait(); | 231 | packet_write_wait(); |
230 | 232 | ||
231 | for (i = 0; i < numprompts; i++) | 233 | for (i = 0; i < kbdintctxt->nreq; i++) |
232 | xfree(prompts[i]); | 234 | xfree(prompts[i]); |
233 | xfree(prompts); | 235 | xfree(prompts); |
234 | xfree(echo_on); | 236 | xfree(echo_on); |
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) | |||
256 | 258 | ||
257 | authctxt->postponed = 0; /* reset */ | 259 | authctxt->postponed = 0; /* reset */ |
258 | nresp = packet_get_int(); | 260 | nresp = packet_get_int(); |
261 | if (nresp != kbdintctxt->nreq) | ||
262 | fatal("input_userauth_info_response: wrong number of replies"); | ||
263 | if (nresp > 100) | ||
264 | fatal("input_userauth_info_response: too many replies"); | ||
259 | if (nresp > 0) { | 265 | if (nresp > 0) { |
260 | response = xmalloc(nresp * sizeof(char*)); | 266 | response = xmalloc(nresp * sizeof(char*)); |
261 | for (i = 0; i < nresp; i++) | 267 | for (i = 0; i < nresp; i++) |