From 1d2c4564265ee827147af246a16f3777741411ed Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 4 Feb 2014 11:18:20 +1100
Subject:    - tedu@cvs.openbsd.org 2014/01/31 16:39:19      [auth2-chall.c
 authfd.c authfile.c bufaux.c bufec.c canohost.c]      [channels.c
 cipher-chachapoly.c clientloop.c configure.ac hostfile.c]      [kexc25519.c
 krl.c monitor.c sandbox-systrace.c session.c]      [sftp-client.c
 ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]     
 [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]     
 replace most bzero with explicit_bzero, except a few that cna be memset     
 ok djm dtucker

---
 session.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'session.c')

diff --git a/session.c b/session.c
index 12dd9ab10..f5049774b 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.269 2014/01/18 09:36:26 dtucker Exp $ */
+/* $OpenBSD: session.c,v 1.270 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1889,7 +1889,7 @@ session_unused(int id)
 		fatal("%s: insane session id %d (max %d nalloc %d)",
 		    __func__, id, options.max_sessions, sessions_nalloc);
 	}
-	bzero(&sessions[id], sizeof(*sessions));
+	memset(&sessions[id], 0, sizeof(*sessions));
 	sessions[id].self = id;
 	sessions[id].used = 0;
 	sessions[id].chanid = -1;
-- 
cgit v1.2.3


From 8569eba5d7f7348ce3955eeeb399f66f25c52ece Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 4 Mar 2014 09:35:17 +1100
Subject:    - djm@cvs.openbsd.org 2014/03/03 22:22:30      [session.c]     
 ignore enviornment variables with embedded '=' or '\0' characters;     
 spotted by Jann Horn; ok deraadt@

---
 ChangeLog | 7 +++++++
 session.c | 9 +++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'session.c')

diff --git a/ChangeLog b/ChangeLog
index fa0453c86..e49127bfa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140304
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
+
 20140301
  - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
    no moduli file exists at the expected location.
diff --git a/session.c b/session.c
index f5049774b..2bcf8185c 100644
--- a/session.c
+++ b/session.c
@@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 	u_int envsize;
 	u_int i, namelen;
 
+	if (strchr(name, '=') != NULL) {
+		error("Invalid environment variable \"%.100s\"", name);
+		return;
+	}
+
 	/*
 	 * If we're passed an uninitialized list, allocate a single null
 	 * entry before continuing.
@@ -2225,8 +2230,8 @@ session_env_req(Session *s)
 	char *name, *val;
 	u_int name_len, val_len, i;
 
-	name = packet_get_string(&name_len);
-	val = packet_get_string(&val_len);
+	name = packet_get_cstring(&name_len);
+	val = packet_get_cstring(&val_len);
 	packet_check_eom();
 
 	/* Don't set too many environment variables */
-- 
cgit v1.2.3