]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
projects / thirdparty / openssh-portable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b1c4bf5)
upstream: kbd-interactive device names should be matched against
authordjm@openbsd.org <djm@openbsd.org>
Mon, 29 Sep 2025 02:32:15 +0000 (02:32 +0000)
committerDamien Miller <djm@mindrot.org>
Mon, 29 Sep 2025 03:24:57 +0000 (13:24 +1000)
the full device name, not a prefix. Doesn't matter in practice as there is
only one kbd-int device supported (PAM xor BSD auth), and an attacker would
still need to successfully authenticate against an incorrectly-selected
device.

reported by ashamedbit, NobleMathews; ok deraadt@

OpenBSD-Commit-ID: cf75d4f99405fbb41354c4ae724a3b39a3b58f82

auth2-chall.c patch | blob | blame | history

diff --git a/auth2-chall.c b/auth2-chall.c
index 021df8291736e2441977ea62a8d20f927ae155ef..5af8b0945d59b40d387dd19c04f217fa6d16fa7f 100644 (file)
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.54 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.55 2025/09/29 02:32:15 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -154,7 +154,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 {
        size_t len;
        char *t;
-       int i;
+       size_t i;
 
        if (kbdintctxt->device)
                kbdint_reset_device(kbdintctxt);
@@ -165,11 +165,14 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
                if (len == 0)
                        break;
                for (i = 0; devices[i]; i++) {
+                       if (i >= sizeof(kbdintctxt->devices_done) * 8)
+                               fatal_f("internal error: too may devices");
                        if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
                            !auth2_method_allowed(authctxt,
                            "keyboard-interactive", devices[i]->name))
                                continue;
-                       if (strncmp(kbdintctxt->devices, devices[i]->name,
+                       if (strlen(devices[i]->name) == len &&
+                           memcmp(kbdintctxt->devices, devices[i]->name,
                            len) == 0) {
                                kbdintctxt->device = devices[i];
                                kbdintctxt->devices_done |= 1 << i;
Mirror of https://github.com/openssh/openssh-portable.git