OpenSSH 3.0

Shun-ichi GOTO gotoh at taiyo.co.jp
Wed Nov 7 14:47:48 EST 2001


> OpenSSH 3.0 has just been released. It will be available from the
> mirrors listed at http://www.openssh.com/ shortly.

Following patch reported at 2001/10/09 is not applied in OpenSSH 3.0p1.
Without this, ssh program cause acecss violation or memory overwrite
problem if SSH_ASKPASS program returns too long string (greater than
sizeof buf).

And also treat '\r' character as line terminator like '\n' for safe.

--- readpass.c	2001/10/09 05:42:49	1.1.1.1
+++ readpass.c	2001/10/09 08:06:38
@@ -45,7 +45,7 @@
 {
 	pid_t pid;
 	size_t len;
-	char *nl, *pass;
+	char *pass;
 	int p[2], status;
 	char buf[1024];
 
@@ -71,16 +71,15 @@
 		fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno));
 	}
 	close(p[1]);
-	len = read(p[0], buf, sizeof buf);
+	len = read(p[0], buf, sizeof buf -1);
 	close(p[0]);
 	while (waitpid(pid, &status, 0) < 0)
 		if (errno != EINTR)
 			break;
 	if (len <= 1)
 		return xstrdup("");
-	nl = strchr(buf, '\n');
-	if (nl)
-		*nl = '\0';
+	buf[len] = '\0';
+	buf[strcspn(buf, "\r\n")] = '\0';
 	pass = xstrdup(buf);
 	memset(buf, 0, sizeof(buf));
 	return pass;

--- Regards,
 Shun-ichi Goto  <gotoh at taiyo.co.jp>
   R&D Group, TAIYO Corp., Tokyo, JAPAN



More information about the openssh-unix-dev mailing list