Commit 995ea41f authored by Niels Möller's avatar Niels Möller

(do_userauth_info_request): Enforce limits

on the length of name and instruction. Prepend the name and a
newline to the instruction.

Rev: src/client_userauth.c:1.60
parent 6c14fbf9
...@@ -1057,7 +1057,6 @@ do_userauth_info_request(struct packet_handler *s, ...@@ -1057,7 +1057,6 @@ do_userauth_info_request(struct packet_handler *s,
struct simple_buffer buffer; struct simple_buffer buffer;
unsigned msg_number; unsigned msg_number;
/* What is the name used for anyway??? For now, we ignore it. */
const uint8_t *name; const uint8_t *name;
uint32_t name_length; uint32_t name_length;
...@@ -1066,8 +1065,9 @@ do_userauth_info_request(struct packet_handler *s, ...@@ -1066,8 +1065,9 @@ do_userauth_info_request(struct packet_handler *s,
/* Deprecated and ignored */ /* Deprecated and ignored */
const uint8_t *language; const uint8_t *language;
uint32_t language_length; uint32_t language_length;
uint32_t nprompt; /* Typed as "int" in the spec. Hope that means uint32_t? */ /* Typed as "int" in the spec. Hope that means uint32_t? */
uint32_t nprompt;
simple_buffer_init(&buffer, STRING_LD(packet)); simple_buffer_init(&buffer, STRING_LD(packet));
if (parse_uint8(&buffer, &msg_number) if (parse_uint8(&buffer, &msg_number)
...@@ -1080,7 +1080,9 @@ do_userauth_info_request(struct packet_handler *s, ...@@ -1080,7 +1080,9 @@ do_userauth_info_request(struct packet_handler *s,
struct interact_dialog *dialog; struct interact_dialog *dialog;
unsigned i; unsigned i;
if (nprompt > KBDINTERACT_MAX_PROMPTS) if (nprompt > KBDINTERACT_MAX_PROMPTS
|| name_length > KBDINTERACT_MAX_LENGTH
|| instruction_length > 10*KBDINTERACT_MAX_LENGTH)
{ {
static const struct exception bad_info_request = static const struct exception bad_info_request =
STATIC_EXCEPTION(EXC_USERAUTH, "Too large USERAUTH_INFO_RQUEST"); STATIC_EXCEPTION(EXC_USERAUTH, "Too large USERAUTH_INFO_RQUEST");
...@@ -1096,7 +1098,8 @@ do_userauth_info_request(struct packet_handler *s, ...@@ -1096,7 +1098,8 @@ do_userauth_info_request(struct packet_handler *s,
{ {
const uint8_t *prompt; const uint8_t *prompt;
uint32_t prompt_length; uint32_t prompt_length;
struct lsh_string *s;
if (! (parse_string(&buffer, &prompt_length, &prompt) if (! (parse_string(&buffer, &prompt_length, &prompt)
&& parse_boolean(&buffer, &dialog->echo[i]))) && parse_boolean(&buffer, &dialog->echo[i])))
{ {
...@@ -1109,14 +1112,38 @@ do_userauth_info_request(struct packet_handler *s, ...@@ -1109,14 +1112,38 @@ do_userauth_info_request(struct packet_handler *s,
KILL(dialog); KILL(dialog);
goto beyond_limit; goto beyond_limit;
} }
dialog->prompt[i] = low_utf8_to_local(prompt_length, prompt, s = low_utf8_to_local(prompt_length, prompt,
utf8_replace | utf8_paranoid); utf8_replace | utf8_paranoid);
if (!s)
goto error;
dialog->prompt[i] = s;
} }
if (!INTERACT_DIALOG(self->state->tty, dialog->instruction
low_utf8_to_local(instruction_length, instruction, = low_utf8_to_local(instruction_length, instruction,
utf8_replace | utf8_paranoid), utf8_replace | utf8_paranoid);
dialog))
if (!dialog->instruction)
goto error;
if (name_length > 0)
{
/* Prepend to instruction */
struct lsh_string *s;
s = low_utf8_to_local(name_length, name,
utf8_replace | utf8_paranoid);
if (!s)
goto error;
dialog->instruction = ssh_format("%lfS\n%lfS\n",
s, dialog->instruction);
}
else
dialog->instruction = ssh_format("%lfS\n", dialog->instruction);
if (!INTERACT_DIALOG(self->state->tty, dialog))
{ {
static const struct exception bad_info_request = static const struct exception bad_info_request =
STATIC_EXCEPTION(EXC_USERAUTH, "No user response"); STATIC_EXCEPTION(EXC_USERAUTH, "No user response");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment