summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog3
-rw-r--r--README3
-rw-r--r--sshd.c37
3 files changed, 23 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index de4f4a704..f9889b4d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+19991119
+ - Merged PAM buffer overrun patch from Chip Salzenberg <chip@valinux.com>
+
19991118
- Merged OpenBSD CVS changes
- [scp.c] foregroundproc() in scp
diff --git a/README b/README
index 06080b0dd..c9427da27 100644
--- a/README
+++ b/README
@@ -1,4 +1,5 @@
-This is the Unix port of OpenBSD's excellent OpenSSH.
+This is the port of OpenBSD's excellent OpenSSH to Linux and other
+Unices.
OpenSSH is based on the last free version of Tatu Ylonen's SSH with
all patent-encumbered algorithms removed, all known security bugs
diff --git a/sshd.c b/sshd.c
index 9e33f69f7..e3a94bf13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -18,7 +18,7 @@ agent connections.
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.23 1999/11/17 22:28:11 damien Exp $");
+RCSID("$Id: sshd.c,v 1.24 1999/11/18 20:56:21 damien Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -152,8 +152,10 @@ char *pamconv_msg = NULL;
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
- int count = 0;
- struct pam_response *reply = NULL;
+ struct pam_response *reply;
+ int count;
+ size_t msg_len;
+ char *p;
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
@@ -178,25 +180,22 @@ static int pamconv(int num_msg, const struct pam_message **msg,
reply[count].resp_retcode = PAM_SUCCESS;
reply[count].resp = xstrdup("");
- if (msg[count]->msg == NULL) break;
+ if (msg[count]->msg == NULL)
+ break;
debug("Adding PAM message: %s", msg[count]->msg);
- if (pamconv_msg == NULL)
- {
- pamconv_msg = malloc(strlen(msg[count]->msg) + 2);
-
- if (pamconv_msg == NULL)
- return PAM_CONV_ERR;
-
- strncpy(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
- pamconv_msg[strlen(msg[count]->msg)] = '\n';
- pamconv_msg[strlen(msg[count]->msg) + 1] = '\0';
- } else
+
+ msg_len = strlen(msg[count]->msg);
+ if (pamconv_msg)
{
- pamconv_msg = realloc(pamconv_msg, strlen(pamconv_msg) + strlen(msg[count]->msg) + 2);
- strncat(pamconv_msg, msg[count]->msg, strlen(msg[count]->msg));
- pamconv_msg[strlen(pamconv_msg)] = '\n';
- pamconv_msg[strlen(pamconv_msg) + 1] = '\0';
+ size_t n = strlen(pamconv_msg);
+ pamconv_msg = xrealloc(pamconv_msg, n + msg_len + 2);
+ p = pamconv_msg + n;
}
+ else
+ pamconv_msg = p = xmalloc(msg_len + 2);
+ memcpy(p, msg[count]->msg, msg_len);
+ p[msg_len] = '\n';
+ p[msg_len + 1] = '\0';
break;
case PAM_PROMPT_ECHO_ON: