summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2002-06-26 13:55:38 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2002-06-26 13:55:38 +0000
commita6e15df747d0fe2a291a7ad8035da90c0c3e8dfb (patch)
tree65fd707bf5e77604abe7f1863a3258ec516752be /usr.bin/ssh
parent2c3bb6e9bea57b2a5054153cc29f7a9abbdefd35 (diff)
make sure # of response matches # of queries, fixes int overflow; from ISS
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/auth2-chall.c18
1 files changed, 12 insertions, 6 deletions
diff --git a/usr.bin/ssh/auth2-chall.c b/usr.bin/ssh/auth2-chall.c
index f35bfb2f8ee..e1440f47d7c 100644
--- a/usr.bin/ssh/auth2-chall.c
+++ b/usr.bin/ssh/auth2-chall.c
@@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
#include "ssh2.h"
#include "auth.h"
@@ -63,6 +63,7 @@ struct KbdintAuthctxt
char *devices;
void *ctxt;
KbdintDevice *device;
+ u_int nreq;
};
static KbdintAuthctxt *
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
kbdintctxt->ctxt = NULL;
kbdintctxt->device = NULL;
+ kbdintctxt->nreq = 0;
return kbdintctxt;
}
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
KbdintAuthctxt *kbdintctxt;
char *name, *instr, **prompts;
int i;
- u_int numprompts, *echo_on;
+ u_int *echo_on;
kbdintctxt = authctxt->kbdintctxt;
if (kbdintctxt->device->query(kbdintctxt->ctxt,
- &name, &instr, &numprompts, &prompts, &echo_on))
+ &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
return 0;
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(name);
packet_put_cstring(instr);
packet_put_cstring(""); /* language not used */
- packet_put_int(numprompts);
- for (i = 0; i < numprompts; i++) {
+ packet_put_int(kbdintctxt->nreq);
+ for (i = 0; i < kbdintctxt->nreq; i++) {
packet_put_cstring(prompts[i]);
packet_put_char(echo_on[i]);
}
packet_send();
packet_write_wait();
- for (i = 0; i < numprompts; i++)
+ for (i = 0; i < kbdintctxt->nreq; i++)
xfree(prompts[i]);
xfree(prompts);
xfree(echo_on);
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
+ if (nresp != kbdintctxt->nreq)
+ fatal("input_userauth_info_response: wrong number of replies");
+ if (nresp > 100)
+ fatal("input_userauth_info_response: too many replies");
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)