Vulnerability Development mailing list archives
Re: possible bug in fonction _local_getpw() and in openssh
From: Damien Miller <djm () MINDROT ORG>
Date: Thu, 15 Feb 2001 10:31:58 +1100
On Wed, 14 Feb 2001, Cyril Diakhate wrote:
Subject: possible bug in fonction _local_getpw() and in openssh# uname -aNetBSD tamtam 1.5 NetBSD 1.5 (Rsky) #14: Sun Feb 11 00:44:52 CET 2001 root@packetfilter:/usr/src/sys/arch/i386/compile/Rsky i386
[snip]
from libc/db/hash_func.c (175) : access to key (key.data : a MAXLOGNAME buffer) is made for a size of len bytes.
[snip]
Possible bad use of getpwnam can be found in sshd (openssh-2.3.0-p1) in auth1.c : [...] pw = getpwnam(user); [...] length of username is not limited : on systems that have implementation of getpwnam() similar to NetBSD's one, it could lead to the previous bug or even to an overflow. The following trivial patch should fix this issue.
Why not fix the problem in one place (the password checking code) rather than in 5 seperate places in OpenSSH, not to mention the numerous other apps that do the same thing? The NetBSD manpage doesn't mention any limit on the length of the username to be passed to it. Here: static int _local_getpw(rv, cb_data, ap) [...] case _PW_KEYBYNAME: name = va_arg(ap, const char *); len = strlen(name); memmove(bf + 1, name, (size_t)MIN(len, MAXLOGNAME)); - key.size = len + 1; + key.size = MIN(len, MAXLOGNAME); break; perhaps bf needs nul termination as well. -d -- | Damien Miller <djm () mindrot org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Current thread:
- possible bug in fonction _local_getpw() and in openssh Cyril Diakhate (Feb 14)
- Re: possible bug in fonction _local_getpw() and in openssh Damien Miller (Feb 14)