Fix the length check when computing a fake challenge for users not

in the S/Key database.  If the system hostname is longer than 126
characters this could result in NUL bytes being written past the
end of a stack buffer.  There is no impact on systems with a hostname
126 characters or less.  Found by Qualys.  OK deraadt@

diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c
index b1e7f74..0b73529 100644 (file)
--- a/lib/libskey/skeylogin.c
+++ b/lib/libskey/skeylogin.c
@@ -10,7 +10,7 @@
  *
  * S/Key verification check, lookups, and authentication.
  *
- * $OpenBSD: skeylogin.c,v 1.63 2022/12/27 17:10:07 jmc Exp $
+ * $OpenBSD: skeylogin.c,v 1.64 2023/03/15 17:01:35 millert Exp $
  */
 
 #ifdef QUOTA
@@ -436,8 +436,8 @@ skey_fakeprompt(char *username, char *skeyprompt)
                        if (isalpha((unsigned char)*p) &&
                            isupper((unsigned char)*p))
                                *p = (char)tolower((unsigned char)*p);
-       if (*p && pbuf - p < 4)
-               (void)strncpy(p, "asjd", 4 - (pbuf - p));
+       if (*p && p - pbuf < 4)
+               (void)strncpy(p, "asjd", 4 - (p - pbuf));
        pbuf[4] = '\0';
 
        /* Hash the username if possible */