The following diffs fix negative index array accesses. For the
path_append diff, if the first path is empty the second path is
just duplicated without a '/'. Is this correct?

-Ray-

Index: misc.c
================================================== =================
RCS file: /home/ray/openbsd/src/usr.bin/ssh/misc.c,v
retrieving revision 1.64
diff -u -p -r1.64 misc.c
--- misc.c 3 Aug 2006 03:34:42 -0000 1.64
+++ misc.c 2 Nov 2006 20:05:41 -0000
@@ -604,11 +604,15 @@ read_keyfile_line(FILE *f, const char *f
{
while (fgets(buf, bufsz, f) != NULL) {
(*lineno)++;
- if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
+ if (buf[0] != '\0' && buf[strlen(buf) - 1] == '\n' || feof(f)) {
return 0;
} else {
- debug("%s: %s line %lu exceeds size limit", __func__,
- filename, *lineno);
+ if (buf[0] != '\0')
+ debug("%s: %s line %lu exceeds size limit",
+ __func__, filename, *lineno);
+ else
+ debug("%s: %s line %lu contains a NUL character",
+ __func__, filename, *lineno);
/* discard remainder of line */
while (fgetc(f) != '\n' && !feof(f))
; /* nothing */
Index: sftp.c
================================================== =================
RCS file: /home/ray/openbsd/src/usr.bin/ssh/sftp.c,v
retrieving revision 1.93
diff -u -p -r1.93 sftp.c
--- sftp.c 30 Sep 2006 17:48:22 -0000 1.93
+++ sftp.c 2 Nov 2006 20:14:58 -0000
@@ -286,11 +286,11 @@ static char *
path_append(char *p1, char *p2)
{
char *ret;
- int len = strlen(p1) + strlen(p2) + 2;
+ size_t len = strlen(p1) + strlen(p2) + 2;

ret = xmalloc(len);
strlcpy(ret, p1, len);
- if (p1[strlen(p1) - 1] != '/')
+ if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/')
strlcat(ret, "/", len);
strlcat(ret, p2, len);

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/lis...enssh-unix-dev