Re: possible bug in fonction _local_getpw() and in openssh

[Damien Miller <djm () MINDROT ORG>]

On Wed, 14 Feb 2001, Cyril Diakhate wrote:

> Subject: possible bug in fonction _local_getpw() and in openssh
>
> > # uname -a
> NetBSD tamtam 1.5 NetBSD 1.5 (Rsky) #14: Sun Feb 11 00:44:52 CET 2001
> root@packetfilter:/usr/src/sys/arch/i386/compile/Rsky i386

[snip]

> from libc/db/hash_func.c (175) : access to key (key.data : a
> MAXLOGNAME buffer) is made for a size of len bytes.

[snip]

> Possible bad use of getpwnam can be found in sshd (openssh-2.3.0-p1)
> in auth1.c :
> [...]
>         pw = getpwnam(user);
> [...]
>
> length of username is not limited : on systems that have
> implementation of getpwnam() similar to NetBSD's one, it could lead to
> the previous bug or even to an overflow.
>
> The following trivial patch should fix this issue.

Why not fix the problem in one place (the password checking code) rather
than in 5 seperate places in OpenSSH, not to mention the numerous other
apps that do the same thing? The NetBSD manpage doesn't mention any
limit on the length of the username to be passed to it.

Here:

static int
_local_getpw(rv, cb_data, ap)
[...]
        case _PW_KEYBYNAME:
                name = va_arg(ap, const char *);
                len = strlen(name);
                memmove(bf + 1, name, (size_t)MIN(len, MAXLOGNAME));
-               key.size = len + 1;
+               key.size = MIN(len, MAXLOGNAME);
                break;

perhaps bf needs nul termination as well.

-d

--
| Damien Miller <djm () mindrot org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer