- Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>

2024-11-23 18:23:25 +08:00 · 1999-11-19 07:56:21 +11:00 · 1999-11-19 07:56:21 +11:00 · 5bbbd364c9
commit 5bbbd364c9
parent 6ee9564901
3 changed files with 23 additions and 20 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+19991119
+ - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
+
 19991118
 - Merged OpenBSD CVS changes
   - [scp.c] foregroundproc() in scp
--- a/3
+++ b/3
@ -1,4 +1,5 @@
-This is the Unix port of OpenBSD's excellent OpenSSH.
+This is the port of OpenBSD's excellent OpenSSH to Linux and other
+Unices.

 OpenSSH is based on the last free version of Tatu Ylonen's SSH with
 all patent-encumbered algorithms removed, all known security bugs
--- a/sshd.c
+++ b/sshd.c
@ -18,7 +18,7 @@ agent connections.
 */

 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $");
+RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $");

 #include "xmalloc.h"
 #include "rsa.h"
@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
 static int pamconv(int num_msg, const struct pam_message **msg,
                   struct pam_response **resp, void *appdata_ptr)
 {
-  int count = 0;
-  struct pam_response *reply = NULL;
+  struct pam_response *reply;
+  int count;
+  size_t msg_len;
+  char *p;

  /* PAM will free this later */
  reply = malloc(num_msg * sizeof(*reply));
@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
        reply[count].resp_retcode = PAM_SUCCESS;
        reply[count].resp = xstrdup("");
 	
-	if (msg[count]->msg == NULL) break;
+	if (msg[count]->msg == NULL)
+	    break;
 	debug("Adding PAM message: %s", msg[count]->msg);
-	if (pamconv_msg == NULL)
+
+	msg_len = strlen(msg[count]->msg);
+	if (pamconv_msg)
 	{
-	  pamconv_msg = malloc(strlen(msg[count]->msg) + 2);
-	  
-	  if (pamconv_msg == NULL)
-	    return PAM_CONV_ERR;
-	    
-	  strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
-	  pamconv_msg[strlen(msg[count]->msg)] = '\n';
-	  pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
-	} else
-	{
-	  pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);
-	  strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
-	  pamconv_msg[strlen(pamconv_msg)] = '\n';
-	  pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
+	  size_t n = strlen(pamconv_msg);
+	  pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
+	  p = pamconv_msg + n;
 	}
+	else
+	  pamconv_msg = p = xmalloc(msg_len + 2);
+	memcpy(p, msg[count]->msg, msg_len);
+	p[msg_len] = '\n';
+	p[msg_len + 1] = '\0';
        break;

      case PAM_PROMPT_ECHO_ON: