rpms / proftpd

Clone
Source Code
GIT

Files

el4 el5 el6 epel7 epel8 epel8-playground epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   f20
  2.   proftpd-1.3.4d-bug3973.patch
Blob Blame History Raw 
--- contrib/mod_sftp_pam.c	2013/02/26 23:14:19	1.10.2.3
+++ contrib/mod_sftp_pam.c	2013/09/14 06:57:00	1.10.2.4
@@ -26,7 +26,7 @@
  * This is mod_sftp_pam, contrib software for proftpd 1.3.x and above.
  * For more information contact TJ Saunders <tj@castaglia.org>.
  *
- * $Id: mod_sftp_pam.c,v 1.10.2.3 2013/02/26 23:14:19 castaglia Exp $
+ * $Id: mod_sftp_pam.c,v 1.10.2.4 2013/09/14 06:57:00 castaglia Exp $
  * $Libraries: -lpam $
  */
 
@@ -197,22 +197,13 @@
     return PAM_CONV_ERR;
   }
 
-  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
-      &recvd_responses) < 0) {
+  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
+      &recvd_count, &recvd_responses) < 0) {
     pr_trace_msg(trace_channel, 3,
       "error receiving keyboard-interactive responses: %s", strerror(errno));
     return PAM_CONV_ERR;
   }
 
-  /* Make sure that the count of responses matches the challenge count. */
-  if (recvd_count != list->nelts) {
-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
-      "sent %d %s, but received %u %s", nmsgs,
-      list->nelts != 1 ? "challenges" : "challenge", recvd_count,
-      recvd_count != 1 ? "responses" : "response");
-    return PAM_CONV_ERR;
-  }
-
   res = calloc(nmsgs, sizeof(struct pam_response));
   if (res == NULL) {
     pr_log_pri(PR_LOG_CRIT, "Out of memory!");
--- contrib/mod_sftp/kbdint.c	2011/05/23 21:03:12	1.4
+++ contrib/mod_sftp/kbdint.c	2013/09/14 06:57:00	1.4.2.1
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
- * Copyright (c) 2008-2009 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
  * resulting executable, without including the source code for OpenSSL in the
  * source distribution.
  *
- * $Id: kbdint.c,v 1.4 2011/05/23 21:03:12 castaglia Exp $
+ * $Id: kbdint.c,v 1.4.2.1 2013/09/14 06:57:00 castaglia Exp $
  */
 
 #include "mod_sftp.h"
@@ -31,6 +31,8 @@
 #include "utf8.h"
 #include "kbdint.h"
 
+#define SFTP_KBDINT_MAX_RESPONSES	500
+
 struct kbdint_driver {
   struct kbdint_driver *next, *prev;
 
@@ -252,8 +254,8 @@
   return res;
 }
 
-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
-    const char ***responses) {
+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
+    unsigned int *rcvd_count, const char ***responses) {
   register unsigned int i;
   char *buf;
   cmd_rec *cmd;
@@ -264,7 +266,7 @@
   int res;
 
   if (p == NULL ||
-      count == NULL ||
+      rcvd_count == NULL ||
       responses == NULL) {
     errno = EINVAL;
     return -1;
@@ -299,6 +301,29 @@
 
   resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
 
+  /* Ensure that the number of responses sent by the client is the same
+   * as the number of challenges sent, lest a malicious client attempt to
+   * trick us into allocating too much memory (Bug#3973).
+   */
+  if (resp_count != expected_count) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
+      expected_count != 1 ? "challenges" : "challenge",
+      (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
+  if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "received too many responses (%lu > max %lu), rejecting",
+      (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
   list = make_array(p, resp_count, sizeof(char *));
   for (i = 0; i < resp_count; i++) {
     char *resp;
@@ -307,7 +332,7 @@
     *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
   }
 
-  *count = (unsigned int) resp_count;
+  *rcvd_count = (unsigned int) resp_count;
   *responses = ((const char **) list->elts);
   return 0;
 }
--- contrib/mod_sftp/mod_sftp.h.in	2011/10/12 17:15:56	1.22
+++ contrib/mod_sftp/mod_sftp.h.in	2013/09/14 06:57:00	1.22.2.1
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp
- * Copyright (c) 2008-2011 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
  * resulting executable, without including the source code for OpenSSL in the
  * source distribution.
  *
- * $Id: mod_sftp.h.in,v 1.22 2011/10/12 17:15:56 castaglia Exp $
+ * $Id: mod_sftp.h.in,v 1.22.2.1 2013/09/14 06:57:00 castaglia Exp $
  */
 
 #ifndef MOD_SFTP_H
@@ -174,7 +174,8 @@
 int sftp_kbdint_unregister_driver(const char *name);
 int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
   sftp_kbdint_challenge_t *);
-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
+int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
+  const char ***);
 
 /* API for modules that which to register keystores, for the
  * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.