- djm@cvs.openbsd.org 2014/03/03 22:22:30

     [session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@

diff --git a/ChangeLog b/ChangeLog
index fa0453c86ad9d32894fd737c3ff054cadfc798cf..e49127bfa480ae1b81352e1e7261a27494ff3df4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140304
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
+
 20140301
  - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
    no moduli file exists at the expected location.

diff --git a/session.c b/session.c
index f5049774be4d92a47f788fd6423894bd87e0b439..2bcf8185ce0e141f6a3d51f87f19aada7c17b6d8 100644 (file)
--- a/session.c
+++ b/session.c
@@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
        u_int envsize;
        u_int i, namelen;
 
+       if (strchr(name, '=') != NULL) {
+               error("Invalid environment variable \"%.100s\"", name);
+               return;
+       }
+
        /*
         * If we're passed an uninitialized list, allocate a single null
         * entry before continuing.
@@ -2225,8 +2230,8 @@ session_env_req(Session *s)
        char *name, *val;
        u_int name_len, val_len, i;
 
-       name = packet_get_string(&name_len);
-       val = packet_get_string(&val_len);
+       name = packet_get_cstring(&name_len);
+       val = packet_get_cstring(&val_len);
        packet_check_eom();
 
        /* Don't set too many environment variables */