summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2014-03-04 09:35:17 +1100
committerDamien Miller <djm@mindrot.org>2014-03-04 09:35:17 +1100
commit8569eba5d7f7348ce3955eeeb399f66f25c52ece (patch)
tree76d21af5de19f44ccc95ce5900f293ab84eb605a
parent2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 (diff)
- djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@
-rw-r--r--ChangeLog7
-rw-r--r--session.c9
2 files changed, 14 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index fa0453c8..e49127bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140304
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
+ [session.c]
+ ignore enviornment variables with embedded '=' or '\0' characters;
+ spotted by Jann Horn; ok deraadt@
+
20140301
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.
diff --git a/session.c b/session.c
index f5049774..2bcf8185 100644
--- a/session.c
+++ b/session.c
@@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
u_int envsize;
u_int i, namelen;
+ if (strchr(name, '=') != NULL) {
+ error("Invalid environment variable \"%.100s\"", name);
+ return;
+ }
+
/*
* If we're passed an uninitialized list, allocate a single null
* entry before continuing.
@@ -2225,8 +2230,8 @@ session_env_req(Session *s)
char *name, *val;
u_int name_len, val_len, i;
- name = packet_get_string(&name_len);
- val = packet_get_string(&val_len);
+ name = packet_get_cstring(&name_len);
+ val = packet_get_cstring(&val_len);
packet_check_eom();
/* Don't set too many environment variables */