Marco Trevisan
2025-Feb-13 16:42 UTC
[PATCH] auth2-chall: Fix selection of the keyboard-interactive device
From: Marco Trevisan (Trevi?o) <mail at 3v1n0.net>
We were only checking if the prefix of a device name was matching what
we had in the devices list, so if the device list contained "pam",
then
also the device "pam-foo" was matching.
---
auth2-chall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth2-chall.c b/auth2-chall.c
index 021df8291..52d38e2ef 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt
*kbdintctxt)
"keyboard-interactive", devices[i]->name))
continue;
if (strncmp(kbdintctxt->devices, devices[i]->name,
- len) == 0) {
+ len) == 0 && strlen(devices[i]->name) == len) {
kbdintctxt->device = devices[i];
kbdintctxt->devices_done |= 1 << i;
}
--
2.34.1
Possibly Parallel Threads
- [PATCH 1/4] auth: Add KbdintResult definition to define result values explicitly
- [PATCH 0/4] [PATCH] Immediately report interactive instructions
- [PATCH] kbdintctxt->nreq test
- Puzzled about PAM support in OpenSSH-3.7.1p2
- [Bug 2410] New: auth-chall.c - "<stdarg.h>" #included twice