From: dtucker Date: Fri, 8 Jan 2010 07:49:16 +0000 (+0000) Subject: - djm@cvs.openbsd.org 2009/11/20 03:24:07 X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/704709cf9349a82419071ec332acb1783d591cd5 - djm@cvs.openbsd.org 2009/11/20 03:24:07 [misc.c] correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 from Jan.Pechanec AT Sun.COM --- diff --git a/ChangeLog b/ChangeLog index b677213f..7a2a0e32 100644 --- a/ChangeLog +++ b/ChangeLog @@ -81,6 +81,12 @@ - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 [sshconnect2.c] Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ + - djm@cvs.openbsd.org 2009/11/20 03:24:07 + [misc.c] + correct off-by-one in percent_expand(): we would fatal() when trying + to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually + work. Note that nothing in OpenSSH actually uses close to this limit at + present. bz#1607 from Jan.Pechanec AT Sun.COM 20091226 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 diff --git a/misc.c b/misc.c index f0f1fd84..21db00a1 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */ +/* $OpenBSD: misc.c,v 1.73 2009/11/20 03:24:07 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -597,11 +597,11 @@ char * percent_expand(const char *string, ...) { #define EXPAND_MAX_KEYS 16 + u_int num_keys, i, j; struct { const char *key; const char *repl; } keys[EXPAND_MAX_KEYS]; - u_int num_keys, i, j; char buf[4096]; va_list ap; @@ -613,13 +613,12 @@ percent_expand(const char *string, ...) break; keys[num_keys].repl = va_arg(ap, char *); if (keys[num_keys].repl == NULL) - fatal("percent_expand: NULL replacement"); + fatal("%s: NULL replacement", __func__); } + if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL) + fatal("%s: too many keys", __func__); va_end(ap); - if (num_keys >= EXPAND_MAX_KEYS) - fatal("percent_expand: too many keys"); - /* Expand string */ *buf = '\0'; for (i = 0; *string != '\0'; string++) { @@ -627,23 +626,24 @@ percent_expand(const char *string, ...) append: buf[i++] = *string; if (i >= sizeof(buf)) - fatal("percent_expand: string too long"); + fatal("%s: string too long", __func__); buf[i] = '\0'; continue; } string++; + /* %% case */ if (*string == '%') goto append; for (j = 0; j < num_keys; j++) { if (strchr(keys[j].key, *string) != NULL) { i = strlcat(buf, keys[j].repl, sizeof(buf)); if (i >= sizeof(buf)) - fatal("percent_expand: string too long"); + fatal("%s: string too long", __func__); break; } } if (j >= num_keys) - fatal("percent_expand: unknown key %%%c", *string); + fatal("%s: unknown key %%%c", __func__, *string); } return (xstrdup(buf)); #undef EXPAND_MAX_KEYS