[openssh-commits] [openssh] 02/02: upstream: scrub keyboard-interactive authentication prompts coming

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Nov 13 18:32:31 AEDT 2020


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 04088725ec9c44880c01799b588cd4ba47b3e8bc
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Nov 13 07:30:44 2020 +0000

    upstream: scrub keyboard-interactive authentication prompts coming
    
    from the server through asmprintf() prior to display; suggested by and ok
    dtucker@
    
    OpenBSD-Commit-ID: 31fe93367645c37fbfe4691596bf6cf1e3972a58
---
 sshconnect2.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sshconnect2.c b/sshconnect2.c
index 6c31eeaf..149bb8d6 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.335 2020/11/13 04:53:12 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.336 2020/11/13 07:30:44 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -33,6 +33,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <signal.h>
@@ -1924,9 +1925,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
 		if ((r = sshpkt_get_cstring(ssh, &prompt, NULL)) != 0 ||
 		    (r = sshpkt_get_u8(ssh, &echo)) != 0)
 			goto out;
-		xasprintf(&display_prompt, "(%s@%s) %s",
+		if (asmprintf(&display_prompt, INT_MAX, NULL, "(%s@%s) %s",
 		    authctxt->server_user, options.host_key_alias ?
-		    options.host_key_alias : authctxt->host, prompt);
+		    options.host_key_alias : authctxt->host, prompt) == -1)
+			fatal_f("asmprintf failed");
 		response = read_passphrase(display_prompt, echo ? RP_ECHO : 0);
 		if ((r = sshpkt_put_cstring(ssh, response)) != 0)
 			goto out;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list