Fixed a possible out-of-bounds memory access if the environment variable
SHELL is shorter than 3 characters.
with input by and ok dtucker
+ - tobias@cvs.openbsd.org 2009/03/23 19:38:04
+ [ssh-agent.c]
+ My previous commit didn't fix the problem at all, so stick at my first
+ version of the fix presented to dtucker.
+ Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
+ ok dtucker
20090616
- (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
-/* $OpenBSD: ssh-agent.c,v 1.160 2009/03/23 08:31:19 tobias Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.161 2009/03/23 19:38:04 tobias Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval *tvp = NULL;
+ size_t len;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL");
- if (shell != NULL &&
- strncmp(shell + MAX(strlen(shell) - 3, 0), "csh", 3) == 0)
+ if (shell != NULL && (len = strlen(shell)) > 2 &&
+ strncmp(shell + len - 3, "csh", 3) == 0)
c_flag = 1;
}
if (k_flag) {