[openssh-commits] [openssh] 02/03: upstream: kbd-interactive device names should be matched against

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Sep 29 13:25:10 AEST 2025 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit bcd88ded2fff97652d4236405a3354ca66f90f7e
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Sep 29 02:32:15 2025 +0000

    upstream: kbd-interactive device names should be matched against
    
    the full device name, not a prefix. Doesn't matter in practice as there is
    only one kbd-int device supported (PAM xor BSD auth), and an attacker would
    still need to successfully authenticate against an incorrectly-selected
    device.
    
    reported by ashamedbit, NobleMathews; ok deraadt@
    
    OpenBSD-Commit-ID: cf75d4f99405fbb41354c4ae724a3b39a3b58f82
---
 auth2-chall.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/auth2-chall.c b/auth2-chall.c
index 021df8291..5af8b0945 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.54 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.55 2025/09/29 02:32:15 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -154,7 +154,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 {
 	size_t len;
 	char *t;
-	int i;
+	size_t i;
 
 	if (kbdintctxt->device)
 		kbdint_reset_device(kbdintctxt);
@@ -165,11 +165,14 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 		if (len == 0)
 			break;
 		for (i = 0; devices[i]; i++) {
+			if (i >= sizeof(kbdintctxt->devices_done) * 8)
+				fatal_f("internal error: too may devices");
 			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
 			    !auth2_method_allowed(authctxt,
 			    "keyboard-interactive", devices[i]->name))
 				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name,
+			if (strlen(devices[i]->name) == len &&
+			    memcmp(kbdintctxt->devices, devices[i]->name,
 			    len) == 0) {
 				kbdintctxt->device = devices[i];
 				kbdintctxt->devices_done |= 1 << i;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list