diff options
| author | Darren Tucker <dtucker@dtucker.net> | 2023-03-09 08:19:44 +0100 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2023-03-09 08:32:48 +0100 |
| commit | a231414970e01a35f45a295d5f93698fa1249b28 (patch) | |
| tree | 90f22c8379e7f9595d26ea7c6bd757008223f0f0 /auth-pam.c | |
| parent | upstream: Plug mem leak. Coverity CID 405196, ok djm@ (diff) | |
| download | openssh-a231414970e01a35f45a295d5f93698fa1249b28.tar.xz openssh-a231414970e01a35f45a295d5f93698fa1249b28.zip | |
Limit the number of PAM environment variables.
From Coverity CID 405194, tweaks and ok djm@
Diffstat (limited to 'auth-pam.c')
| -rw-r--r-- | auth-pam.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/auth-pam.c b/auth-pam.c index b324953a1..f5a06b1f6 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -351,11 +351,12 @@ import_environments(struct sshbuf *b) /* Import environment from subprocess */ if ((r = sshbuf_get_u32(b, &num_env)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (num_env > 1024) - fatal("%s: received %u environment variables, expected <= 1024", - __func__, num_env); + if (num_env > 1024) { + fatal_f("received %u environment variables, expected <= 1024", + num_env); + } sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env)); - debug3("PAM: num env strings %d", num_env); + debug3("PAM: num env strings %u", num_env); for(i = 0; i < num_env; i++) { if ((r = sshbuf_get_cstring(b, &(sshpam_env[i]), NULL)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); @@ -365,7 +366,11 @@ import_environments(struct sshbuf *b) /* Import PAM environment from subprocess */ if ((r = sshbuf_get_u32(b, &num_env)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - debug("PAM: num PAM env strings %d", num_env); + if (num_env > 1024) { + fatal_f("received %u PAM env variables, expected <= 1024", + num_env); + } + debug("PAM: num PAM env strings %u", num_env); for (i = 0; i < num_env; i++) { if ((r = sshbuf_get_cstring(b, &env, NULL)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); |