diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2009-11-20 03:24:08 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2009-11-20 03:24:08 +0000 |
| commit | efa3693465ba3a77776b0e656c65d4a85e58018d (patch) | |
| tree | b2713100fc2733095cbf19e23f544881a788c37c /usr.bin | |
| parent | a2b4d392f7178cc88efc353c460b1d455466a39a (diff) | |
correct off-by-one in percent_expand(): we would fatal() when trying
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work.
Note that nothing in OpenSSH actually uses close to this limit at present.
bz#1607 from Jan.Pechanec AT Sun.COM
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/misc.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c index 066d90b4ed0..04a54068872 100644 --- a/usr.bin/ssh/misc.c +++ b/usr.bin/ssh/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */ +/* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -584,11 +584,11 @@ char * percent_expand(const char *string, ...) { #define EXPAND_MAX_KEYS 16 + u_int num_keys, i, j; struct { const char *key; const char *repl; } keys[EXPAND_MAX_KEYS]; - u_int num_keys, i, j; char buf[4096]; va_list ap; @@ -600,13 +600,12 @@ percent_expand(const char *string, ...) break; keys[num_keys].repl = va_arg(ap, char *); if (keys[num_keys].repl == NULL) - fatal("percent_expand: NULL replacement"); + fatal("%s: NULL replacement", __func__); } + if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL) + fatal("%s: too many keys", __func__); va_end(ap); - if (num_keys >= EXPAND_MAX_KEYS) - fatal("percent_expand: too many keys"); - /* Expand string */ *buf = '\0'; for (i = 0; *string != '\0'; string++) { @@ -614,23 +613,24 @@ percent_expand(const char *string, ...) append: buf[i++] = *string; if (i >= sizeof(buf)) - fatal("percent_expand: string too long"); + fatal("%s: string too long", __func__); buf[i] = '\0'; continue; } string++; + /* %% case */ if (*string == '%') goto append; for (j = 0; j < num_keys; j++) { if (strchr(keys[j].key, *string) != NULL) { i = strlcat(buf, keys[j].repl, sizeof(buf)); if (i >= sizeof(buf)) - fatal("percent_expand: string too long"); + fatal("%s: string too long", __func__); break; } } if (j >= num_keys) - fatal("percent_expand: unknown key %%%c", *string); + fatal("%s: unknown key %%%c", __func__, *string); } return (xstrdup(buf)); #undef EXPAND_MAX_KEYS |