blob: 7db9d0e1e44c96b3a128856154caa02a6873cf97 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
From OpenBSD.
Author: millert <millert@openbsd.org>
Date: Wed, 15 Mar 2023 17:01:35 +0000
Fix the length check when computing a fake challenge for users not in
the S/Key database. If the system hostname is longer than 126 characters
this could result in NUL bytes being written past the end of a stack
buffer. There is no impact on systems with a hostname 126 characters or
less. Found by Qualys. OK deraadt@
--- skey-1.1.5/skeylogin.c
+++ skey-1.1.5/skeylogin.c
@@ -486,8 +486,8 @@
for (p = pbuf; *p && isalnum((u_char)*p); p++)
if (isalpha((u_char)*p) && isupper((u_char)*p))
*p = tolower((u_char)*p);
- if (*p && pbuf - p < 4)
- strncpy(p, "asjd", 4 - (pbuf - p));
+ if (*p && p - pbuf < 4)
+ strncpy(p, "asjd", 4 - (p - pbuf));
pbuf[4] = '\0';
/* Hash the username if possible */
|