From 8569eba5d7f7348ce3955eeeb399f66f25c52ece Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 4 Mar 2014 09:35:17 +1100
Subject:    - djm@cvs.openbsd.org 2014/03/03 22:22:30      [session.c]     
 ignore enviornment variables with embedded '=' or '\0' characters;     
 spotted by Jann Horn; ok deraadt@

---
 session.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'session.c')

diff --git a/session.c b/session.c
index f5049774b..2bcf8185c 100644
--- a/session.c
+++ b/session.c
@@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 	u_int envsize;
 	u_int i, namelen;
 
+	if (strchr(name, '=') != NULL) {
+		error("Invalid environment variable \"%.100s\"", name);
+		return;
+	}
+
 	/*
 	 * If we're passed an uninitialized list, allocate a single null
 	 * entry before continuing.
@@ -2225,8 +2230,8 @@ session_env_req(Session *s)
 	char *name, *val;
 	u_int name_len, val_len, i;
 
-	name = packet_get_string(&name_len);
-	val = packet_get_string(&val_len);
+	name = packet_get_cstring(&name_len);
+	val = packet_get_cstring(&val_len);
 	packet_check_eom();
 
 	/* Don't set too many environment variables */
-- 
cgit v1.2.3