diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2006-01-31 10:19:03 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2006-01-31 10:19:03 +0000 |
| commit | 4642520f044beb240350338ee00862f58a91200b (patch) | |
| tree | e9389c74fca3c0fe8187ec99fe239d1ecd6f61ca /usr.bin/ssh/misc.c | |
| parent | efd59c8464a11bdf906696175b911ed746ad30e5 (diff) | |
fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
Diffstat (limited to 'usr.bin/ssh/misc.c')
| -rw-r--r-- | usr.bin/ssh/misc.c | 45 |
1 files changed, 41 insertions, 4 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index 5a990db232e..9ec397aee8a 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.41 2006/01/05 23:43:53 djm Exp $"); +RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $"); #include <net/if.h> @@ -383,12 +383,15 @@ void addargs(arglist *args, char *fmt, ...) { va_list ap; - char buf[1024]; + char *cp; u_int nalloc; + int r; va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); + r = vasprintf(&cp, fmt, ap); va_end(ap); + if (r == -1) + fatal("addargs: argument too long"); nalloc = args->nalloc; if (args->list == NULL) { @@ -399,10 +402,44 @@ addargs(arglist *args, char *fmt, ...) args->list = xrealloc(args->list, nalloc * sizeof(char *)); args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); + args->list[args->num++] = cp; args->list[args->num] = NULL; } +void +replacearg(arglist *args, u_int which, char *fmt, ...) +{ + va_list ap; + char *cp; + int r; + + va_start(ap, fmt); + r = vasprintf(&cp, fmt, ap); + va_end(ap); + if (r == -1) + fatal("replacearg: argument too long"); + + if (which >= args->num) + fatal("replacearg: tried to replace invalid arg %d >= %d", + which, args->num); + xfree(args->list[which]); + args->list[which] = cp; +} + +void +freeargs(arglist *args) +{ + u_int i; + + if (args->list != NULL) { + for (i = 0; i < args->num; i++) + xfree(args->list[i]); + xfree(args->list); + args->nalloc = args->num = 0; + args->list = NULL; + } +} + /* * Expands tildes in the file name. Returns data allocated by xmalloc. * Warning: this calls getpw*. |