diff options
author | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-26 13:55:38 +0000 |
---|---|---|
committer | Markus Friedl <markus@cvs.openbsd.org> | 2002-06-26 13:55:38 +0000 |
commit | a6e15df747d0fe2a291a7ad8035da90c0c3e8dfb (patch) | |
tree | 65fd707bf5e77604abe7f1863a3258ec516752be /usr.bin/ssh | |
parent | 2c3bb6e9bea57b2a5054153cc29f7a9abbdefd35 (diff) |
make sure # of response matches # of queries, fixes int overflow; from ISS
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/auth2-chall.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/usr.bin/ssh/auth2-chall.c b/usr.bin/ssh/auth2-chall.c index f35bfb2f8ee..e1440f47d7c 100644 --- a/usr.bin/ssh/auth2-chall.c +++ b/usr.bin/ssh/auth2-chall.c @@ -23,7 +23,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $"); +RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $"); #include "ssh2.h" #include "auth.h" @@ -63,6 +63,7 @@ struct KbdintAuthctxt char *devices; void *ctxt; KbdintDevice *device; + u_int nreq; }; static KbdintAuthctxt * @@ -90,6 +91,7 @@ kbdint_alloc(const char *devs) debug("kbdint_alloc: devices '%s'", kbdintctxt->devices); kbdintctxt->ctxt = NULL; kbdintctxt->device = NULL; + kbdintctxt->nreq = 0; return kbdintctxt; } @@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt) KbdintAuthctxt *kbdintctxt; char *name, *instr, **prompts; int i; - u_int numprompts, *echo_on; + u_int *echo_on; kbdintctxt = authctxt->kbdintctxt; if (kbdintctxt->device->query(kbdintctxt->ctxt, - &name, &instr, &numprompts, &prompts, &echo_on)) + &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) return 0; packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_put_cstring(name); packet_put_cstring(instr); packet_put_cstring(""); /* language not used */ - packet_put_int(numprompts); - for (i = 0; i < numprompts; i++) { + packet_put_int(kbdintctxt->nreq); + for (i = 0; i < kbdintctxt->nreq; i++) { packet_put_cstring(prompts[i]); packet_put_char(echo_on[i]); } packet_send(); packet_write_wait(); - for (i = 0; i < numprompts; i++) + for (i = 0; i < kbdintctxt->nreq; i++) xfree(prompts[i]); xfree(prompts); xfree(echo_on); @@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt) authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp != kbdintctxt->nreq) + fatal("input_userauth_info_response: wrong number of replies"); + if (nresp > 100) + fatal("input_userauth_info_response: too many replies"); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) |