summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/misc.c
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2009-11-20 03:24:08 +0000
committerDamien Miller <djm@cvs.openbsd.org>2009-11-20 03:24:08 +0000
commitefa3693465ba3a77776b0e656c65d4a85e58018d (patch)
treeb2713100fc2733095cbf19e23f544881a788c37c /usr.bin/ssh/misc.c
parenta2b4d392f7178cc88efc353c460b1d455466a39a (diff)
correct off-by-one in percent_expand(): we would fatal() when trying
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 from Jan.Pechanec AT Sun.COM
Diffstat (limited to 'usr.bin/ssh/misc.c')
-rw-r--r--usr.bin/ssh/misc.c18
1 files changed, 9 insertions, 9 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c
index 066d90b4ed0..04a54068872 100644
--- a/usr.bin/ssh/misc.c
+++ b/usr.bin/ssh/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */
+/* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -584,11 +584,11 @@ char *
percent_expand(const char *string, ...)
{
#define EXPAND_MAX_KEYS 16
+ u_int num_keys, i, j;
struct {
const char *key;
const char *repl;
} keys[EXPAND_MAX_KEYS];
- u_int num_keys, i, j;
char buf[4096];
va_list ap;
@@ -600,13 +600,12 @@ percent_expand(const char *string, ...)
break;
keys[num_keys].repl = va_arg(ap, char *);
if (keys[num_keys].repl == NULL)
- fatal("percent_expand: NULL replacement");
+ fatal("%s: NULL replacement", __func__);
}
+ if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL)
+ fatal("%s: too many keys", __func__);
va_end(ap);
- if (num_keys >= EXPAND_MAX_KEYS)
- fatal("percent_expand: too many keys");
-
/* Expand string */
*buf = '\0';
for (i = 0; *string != '\0'; string++) {
@@ -614,23 +613,24 @@ percent_expand(const char *string, ...)
append:
buf[i++] = *string;
if (i >= sizeof(buf))
- fatal("percent_expand: string too long");
+ fatal("%s: string too long", __func__);
buf[i] = '\0';
continue;
}
string++;
+ /* %% case */
if (*string == '%')
goto append;
for (j = 0; j < num_keys; j++) {
if (strchr(keys[j].key, *string) != NULL) {
i = strlcat(buf, keys[j].repl, sizeof(buf));
if (i >= sizeof(buf))
- fatal("percent_expand: string too long");
+ fatal("%s: string too long", __func__);
break;
}
}
if (j >= num_keys)
- fatal("percent_expand: unknown key %%%c", *string);
+ fatal("%s: unknown key %%%c", __func__, *string);
}
return (xstrdup(buf));
#undef EXPAND_MAX_KEYS