- djm@cvs.openbsd.org 2009/11/20 03:24:07

     [misc.c]
     correct off-by-one in percent_expand(): we would fatal() when trying
     to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
     work.  Note that nothing in OpenSSH actually uses close to this limit at
     present.  bz#1607 from Jan.Pechanec AT Sun.COM

diff --git a/ChangeLog b/ChangeLog
index b677213f82848140154017b9f2c0aca473c924b2..7a2a0e32295b02a54087d8fc27caa8a1af3be91d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -81,6 +81,12 @@
    - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
      [sshconnect2.c]
      Use the HostKeyAlias when prompting for passwords.  bz#1039, ok djm@
+   - djm@cvs.openbsd.org 2009/11/20 03:24:07
+     [misc.c]
+     correct off-by-one in percent_expand(): we would fatal() when trying
+     to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
+     work.  Note that nothing in OpenSSH actually uses close to this limit at
+     present.  bz#1607 from Jan.Pechanec AT Sun.COM
 
 20091226
  - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1

diff --git a/misc.c b/misc.c
index f0f1fd8416e7981f969f42dda448e74e16bd154e..21db00a137533402b68544f1f20e549cf6be01e1 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */
+/* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -597,11 +597,11 @@ char *
 percent_expand(const char *string, ...)
 {
 #define EXPAND_MAX_KEYS        16
+       u_int num_keys, i, j;
        struct {
                const char *key;
                const char *repl;
        } keys[EXPAND_MAX_KEYS];
-       u_int num_keys, i, j;
        char buf[4096];
        va_list ap;
 
@@ -613,13 +613,12 @@ percent_expand(const char *string, ...)
                        break;
                keys[num_keys].repl = va_arg(ap, char *);
                if (keys[num_keys].repl == NULL)
-                       fatal("percent_expand: NULL replacement");
+                       fatal("%s: NULL replacement", __func__);
        }
+       if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL)
+               fatal("%s: too many keys", __func__);
        va_end(ap);
 
-       if (num_keys >= EXPAND_MAX_KEYS)
-               fatal("percent_expand: too many keys");
-
        /* Expand string */
        *buf = '\0';
        for (i = 0; *string != '\0'; string++) {
@@ -627,23 +626,24 @@ percent_expand(const char *string, ...)
  append:
                        buf[i++] = *string;
                        if (i >= sizeof(buf))
-                               fatal("percent_expand: string too long");
+                               fatal("%s: string too long", __func__);
                        buf[i] = '\0';
                        continue;
                }
                string++;
+               /* %% case */
                if (*string == '%')
                        goto append;
                for (j = 0; j < num_keys; j++) {
                        if (strchr(keys[j].key, *string) != NULL) {
                                i = strlcat(buf, keys[j].repl, sizeof(buf));
                                if (i >= sizeof(buf))
-                                       fatal("percent_expand: string too long");
+                                       fatal("%s: string too long", __func__);
                                break;
                        }
                }
                if (j >= num_keys)
-                       fatal("percent_expand: unknown key %%%c", *string);
+                       fatal("%s: unknown key %%%c", __func__, *string);
        }
        return (xstrdup(buf));
 #undef EXPAND_MAX_KEYS