- markus@cvs.openbsd.org 2002/06/26 13:55:37

     [auth2-chall.c]
     make sure # of response matches # of queries, fixes int overflow;
     from ISS

diff --git a/ChangeLog b/ChangeLog
index 6f3c4ca1e4e205f33778d08ffdc2220a2bd381a5..0ff6cc01cb5b89a9a6fe6b6cff2e009387b1dedc 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -55,6 +55,10 @@
      [session.c]
      disclose less information from environment files; based on input 
      from djm, and dschultz@uclink.Berkeley.EDU
+   - markus@cvs.openbsd.org 2002/06/26 13:55:37
+     [auth2-chall.c]
+     make sure # of response matches # of queries, fixes int overflow; 
+     from ISS
  - (djm) Require krb5 devel for RPM build w/ KrbV 
  - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai 
    <nalin@redhat.com>

diff --git a/auth2-chall.c b/auth2-chall.c
index f35bfb2f8ee7968dc46e066f26f636773a53910f..e1440f47d7cb4e234420ec65d7732716e25f5286 100644 (file)
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
 
 #include "ssh2.h"
 #include "auth.h"
@@ -63,6 +63,7 @@ struct KbdintAuthctxt
        char *devices;
        void *ctxt;
        KbdintDevice *device;
+       u_int nreq;
 };
 
 static KbdintAuthctxt *
@@ -90,6 +91,7 @@ kbdint_alloc(const char *devs)
        debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
        kbdintctxt->ctxt = NULL;
        kbdintctxt->device = NULL;
+       kbdintctxt->nreq = 0;
 
        return kbdintctxt;
 }
@@ -209,26 +211,26 @@ send_userauth_info_request(Authctxt *authctxt)
        KbdintAuthctxt *kbdintctxt;
        char *name, *instr, **prompts;
        int i;
-       u_int numprompts, *echo_on;
+       u_int *echo_on;
 
        kbdintctxt = authctxt->kbdintctxt;
        if (kbdintctxt->device->query(kbdintctxt->ctxt,
-           &name, &instr, &numprompts, &prompts, &echo_on))
+           &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
                return 0;
 
        packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
        packet_put_cstring(name);
        packet_put_cstring(instr);
        packet_put_cstring("");         /* language not used */
-       packet_put_int(numprompts);
-       for (i = 0; i < numprompts; i++) {
+       packet_put_int(kbdintctxt->nreq);
+       for (i = 0; i < kbdintctxt->nreq; i++) {
                packet_put_cstring(prompts[i]);
                packet_put_char(echo_on[i]);
        }
        packet_send();
        packet_write_wait();
 
-       for (i = 0; i < numprompts; i++)
+       for (i = 0; i < kbdintctxt->nreq; i++)
                xfree(prompts[i]);
        xfree(prompts);
        xfree(echo_on);
@@ -256,6 +258,10 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
 
        authctxt->postponed = 0;        /* reset */
        nresp = packet_get_int();
+       if (nresp != kbdintctxt->nreq)
+               fatal("input_userauth_info_response: wrong number of replies");
+       if (nresp > 100)
+               fatal("input_userauth_info_response: too many replies");
        if (nresp > 0) {
                response = xmalloc(nresp * sizeof(char*));
                for (i = 0; i < nresp; i++)