From dac0b76fb075046228ec5f2f1168a87be7398e3f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 31 Aug 2010 12:36:39 +0000 Subject: - djm@cvs.openbsd.org 2010/08/31 09:58:37 [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely. --- kex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'kex.c') diff --git a/kex.c b/kex.c index 148cfee8..ca5aae3e 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.82 2009/10/24 11:13:54 andreas Exp $ */ +/* $OpenBSD: kex.c,v 1.83 2010/08/31 09:58:37 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -98,7 +98,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows) buffer_get_char(&b); /* extract kex init proposal strings */ for (i = 0; i < PROPOSAL_MAX; i++) { - proposal[i] = buffer_get_string(&b,NULL); + proposal[i] = buffer_get_cstring(&b,NULL); debug2("kex_parse_kexinit: %s", proposal[i]); } /* first kex follows / reserved */ -- cgit v1.2.1