diff options
| author |   djm <djm@openbsd.org> | 2016-11-06 05:46:37 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-11-06 05:46:37 +0000 |
| commit | 771b9066f65b11ea1d8af3389e8476c13d6c3657 (patch) | |
| tree | 220a2821322aaaa19d7b8e6aa6d45f8aba9ee6ea /usr.bin/ssh/auth.c | |
| parent | sync (diff) | |
| download | wireguard-openbsd-771b9066f65b11ea1d8af3389e8476c13d6c3657.tar.xz wireguard-openbsd-771b9066f65b11ea1d8af3389e8476c13d6c3657.zip | |
Validate address ranges for AllowUser/DenyUsers at configuration load
time and refuse to accept bad ones. It was previously possible to
specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and these
would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Diffstat (limited to 'usr.bin/ssh/auth.c')
| -rw-r--r-- | usr.bin/ssh/auth.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index 5d48fd67759..4f7cc2df3f0 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.116 2016/08/13 17:47:41 markus Exp $ */ +/* $OpenBSD: auth.c,v 1.117 2016/11/06 05:46:37 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -86,6 +86,7 @@ allowed_user(struct passwd * pw) struct ssh *ssh = active_state; /* XXX */ struct stat st; const char *hostname = NULL, *ipaddr = NULL; + int r; u_int i; /* Shouldn't be called if pw is NULL, but better safe than sorry... */ @@ -126,8 +127,12 @@ allowed_user(struct passwd * pw) /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, - options.deny_users[i])) { + r = match_user(pw->pw_name, hostname, ipaddr, + options.deny_users[i]); + if (r < 0) { + fatal("Invalid DenyUsers pattern \"%.100s\"", + options.deny_users[i]); + } else if (r != 1) { logit("User %.100s from %.100s not allowed " "because listed in DenyUsers", pw->pw_name, hostname); @@ -136,10 +141,15 @@ allowed_user(struct passwd * pw) } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { - for (i = 0; i < options.num_allow_users; i++) - if (match_user(pw->pw_name, hostname, ipaddr, - options.allow_users[i])) + for (i = 0; i < options.num_allow_users; i++) { + r = match_user(pw->pw_name, hostname, ipaddr, + options.allow_users[i]); + if (r < 0) { + fatal("Invalid AllowUsers pattern \"%.100s\"", + options.allow_users[i]); + } else if (r == 1) break; + } /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s from %.100s not allowed because " |