- djm@cvs.openbsd.org 2014/03/03 22:22:30

[session.c] ignore enviornment variables with embedded '=' or '\0' characters; spotted by Jann Horn; ok deraadt@
author: Damien Miller <djm@mindrot.org> 2014-03-04 09:35:17 +1100
committer: Damien Miller <djm@mindrot.org> 2014-03-04 09:35:17 +1100
commit: 8569eba5d7f7348ce3955eeeb399f66f25c52ece (patch)
tree: 76d21af5de19f44ccc95ce5900f293ab84eb605a
parent: 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 (diff)
2 files changed, 14 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index fa0453c8..e49127bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140304
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
+
 20140301
  - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
    no moduli file exists at the expected location.
diff --git a/session.c b/session.c
index f5049774..2bcf8185 100644
--- a/session.c
+++ b/session.c
@@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 	u_int envsize;
 	u_int i, namelen;
 
+	if (strchr(name, '=') != NULL) {
+		error("Invalid environment variable \"%.100s\"", name);
+		return;
+	}
+
 	/*
 	 * If we're passed an uninitialized list, allocate a single null
 	 * entry before continuing.
@@ -2225,8 +2230,8 @@ session_env_req(Session *s)
 	char *name, *val;
 	u_int name_len, val_len, i;
 
-	name = packet_get_string(&name_len);
-	val = packet_get_string(&val_len);
+	name = packet_get_cstring(&name_len);
+	val = packet_get_cstring(&val_len);
 	packet_check_eom();
 
 	/* Don't set too many environment variables */
author	Damien Miller <djm@mindrot.org>	2014-03-04 09:35:17 +1100
committer	Damien Miller <djm@mindrot.org>	2014-03-04 09:35:17 +1100
commit	8569eba5d7f7348ce3955eeeb399f66f25c52ece (patch)
tree	76d21af5de19f44ccc95ce5900f293ab84eb605a
parent	2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7 (diff)