mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
keyboard-interactive auth: use a uint32 for num_prompts.
While testing the previous fix, I also noticed that s->num_prompts is an ordinary signed int. So if the server sends a _really_ large value, it'll be treated as negative. That's kind of harmless: our loop wouldn't read any prompts at all from the packet, and then it would send back the same nonsense count with no responses. But it's inelegant: now, if the server violates the protocol in this way, we respond by sending an even wronger packet in return. Changed the type of num_prompts and the loop variable to uint32_t, so now we'll respond by actually trying to read that many prompts, which will fail by reaching the new error check. I think that's a more sensible way to handle this one.
This commit is contained in:
parent
0d0b0a45bc
commit
dbd9a07fd0
@ -57,7 +57,7 @@ struct ssh2_userauth_state {
|
||||
strbuf *last_methods_string;
|
||||
bool kbd_inter_refused;
|
||||
prompts_t *cur_prompt;
|
||||
int num_prompts;
|
||||
uint32_t num_prompts;
|
||||
const char *username;
|
||||
char *locally_allocated_username;
|
||||
char *password;
|
||||
@ -1231,7 +1231,6 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
|
||||
|
||||
ptrlen name, inst;
|
||||
strbuf *sb;
|
||||
int i;
|
||||
|
||||
/*
|
||||
* We've got a fresh USERAUTH_INFO_REQUEST.
|
||||
@ -1248,7 +1247,7 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
|
||||
* Get any prompt(s) from the packet.
|
||||
*/
|
||||
s->num_prompts = get_uint32(pktin);
|
||||
for (i = 0; i < s->num_prompts; i++) {
|
||||
for (uint32_t i = 0; i < s->num_prompts; i++) {
|
||||
ptrlen prompt = get_string(pktin);
|
||||
bool echo = get_bool(pktin);
|
||||
|
||||
@ -1366,7 +1365,7 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
|
||||
s->pktout = ssh_bpp_new_pktout(
|
||||
s->ppl.bpp, SSH2_MSG_USERAUTH_INFO_RESPONSE);
|
||||
put_uint32(s->pktout, s->num_prompts);
|
||||
for (i=0; i < s->num_prompts; i++) {
|
||||
for (uint32_t i = 0; i < s->num_prompts; i++) {
|
||||
put_stringz(s->pktout,
|
||||
s->cur_prompt->prompts[i]->result);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user