tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Limit the number of PAM environment variables. 

From Coverity CID 405194, tweaks and ok djm@
This commit is contained in:
Darren Tucker 2023-03-09 18:19:44 +11:00
parent 36c6c3eff5
commit a231414970
No known key found for this signature in database
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
auth-pam.c
View File

@ -351,11 +351,12 @@ import_environments(struct sshbuf *b)
/* Import environment from subprocess */ /* Import environment from subprocess */
if ((r = sshbuf_get_u32(b, &num_env)) != 0) if ((r = sshbuf_get_u32(b, &num_env)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (num_env > 1024) if (num_env > 1024) {
fatal("%s: received %u environment variables, expected <= 1024", fatal_f("received %u environment variables, expected <= 1024",
__func__, num_env); num_env);
}
sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env)); sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env));
debug3("PAM: num env strings %d", num_env); debug3("PAM: num env strings %u", num_env);
for(i = 0; i < num_env; i++) { for(i = 0; i < num_env; i++) {
if ((r = sshbuf_get_cstring(b, &(sshpam_env[i]), NULL)) != 0) if ((r = sshbuf_get_cstring(b, &(sshpam_env[i]), NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal("%s: buffer error: %s", __func__, ssh_err(r));
@ -365,7 +366,11 @@ import_environments(struct sshbuf *b)
/* Import PAM environment from subprocess */ /* Import PAM environment from subprocess */
if ((r = sshbuf_get_u32(b, &num_env)) != 0) if ((r = sshbuf_get_u32(b, &num_env)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal("%s: buffer error: %s", __func__, ssh_err(r));
debug("PAM: num PAM env strings %d", num_env); if (num_env > 1024) {
fatal_f("received %u PAM env variables, expected <= 1024",
num_env);
}
debug("PAM: num PAM env strings %u", num_env);
for (i = 0; i < num_env; i++) { for (i = 0; i < num_env; i++) {
if ((r = sshbuf_get_cstring(b, &env, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &env, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal("%s: buffer error: %s", __func__, ssh_err(r));