- Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>

diff --git a/ChangeLog b/ChangeLog
index de4f4a704832b2d88ec315b8042cf547dfdc2ae4..f9889b4d83ac9821241d011eb69a4f7b6b2206aa 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+19991119
+ - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
+
 19991118
  - Merged OpenBSD CVS changes
    - [scp.c] foregroundproc() in scp

diff --git a/README b/README
index 06080b0dd4213e41a02866b947d894dd1a43455f..c9427da27df4c51e21193483909fb06e4f0cad16 100644 (file)
--- a/README
+++ b/README
@@ -1,4 +1,5 @@
-This is the Unix port of OpenBSD's excellent OpenSSH.
+This is the port of OpenBSD's excellent OpenSSH to Linux and other
+Unices.
 
 OpenSSH is based on the last free version of Tatu Ylonen's SSH with
 all patent-encumbered algorithms removed, all known security bugs

diff --git a/sshd.c b/sshd.c
index ac4b6fed08a4cf8db813f5f42c6837da17e99f7e..bb2b0acd7d5513e8b325f6395cecd0fa11c3870c 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
 static int pamconv(int num_msg, const struct pam_message **msg,
                    struct pam_response **resp, void *appdata_ptr)
 {
-  int count = 0;
-  struct pam_response *reply = NULL;
+  struct pam_response *reply;
+  int count;
+  size_t msg_len;
+  char *p;
 
   /* PAM will free this later */
   reply = malloc(num_msg * sizeof(*reply));
@@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
         reply[count].resp_retcode = PAM_SUCCESS;
         reply[count].resp = xstrdup("");
        
-       if (msg[count]->msg == NULL) break;
+       if (msg[count]->msg == NULL)
+           break;
        debug("Adding PAM message: %s", msg[count]->msg);
-       if (pamconv_msg == NULL)
-       {
-         pamconv_msg = malloc(strlen(msg[count]->msg) + 2);
-         
-         if (pamconv_msg == NULL)
-           return PAM_CONV_ERR;
-           
-         strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
-         pamconv_msg[strlen(msg[count]->msg)] = '\n';
-         pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
-       } else
+
+       msg_len = strlen(msg[count]->msg);
+       if (pamconv_msg)
        {
-         pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);
-         strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
-         pamconv_msg[strlen(pamconv_msg)] = '\n';
-         pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
+         size_t n = strlen(pamconv_msg);
+         pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
+         p = pamconv_msg + n;
        }
+       else
+         pamconv_msg = p = xmalloc(msg_len + 2);
+       memcpy(p, msg[count]->msg, msg_len);
+       p[msg_len] = '\n';
+       p[msg_len + 1] = '\0';
         break;
 
       case PAM_PROMPT_ECHO_ON: