From: millert <millert@openbsd.org>
Date: Wed, 15 Mar 2023 17:01:35 +0000 (+0000)
Subject: Fix the length check when computing a fake challenge for users not
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=848ef98a011b51fa811cb86fe900433edd2db24a;p=openbsd

Fix the length check when computing a fake challenge for users not
in the S/Key database.  If the system hostname is longer than 126
characters this could result in NUL bytes being written past the
end of a stack buffer.  There is no impact on systems with a hostname
126 characters or less.  Found by Qualys.  OK deraadt@
---

diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c
index b1e7f74e48b..0b7352983c0 100644
--- a/lib/libskey/skeylogin.c
+++ b/lib/libskey/skeylogin.c
@@ -10,7 +10,7 @@
  *
  * S/Key verification check, lookups, and authentication.
  *
- * $OpenBSD: skeylogin.c,v 1.63 2022/12/27 17:10:07 jmc Exp $
+ * $OpenBSD: skeylogin.c,v 1.64 2023/03/15 17:01:35 millert Exp $
  */
 
 #ifdef	QUOTA
@@ -436,8 +436,8 @@ skey_fakeprompt(char *username, char *skeyprompt)
 			if (isalpha((unsigned char)*p) &&
 			    isupper((unsigned char)*p))
 				*p = (char)tolower((unsigned char)*p);
-	if (*p && pbuf - p < 4)
-		(void)strncpy(p, "asjd", 4 - (pbuf - p));
+	if (*p && p - pbuf < 4)
+		(void)strncpy(p, "asjd", 4 - (p - pbuf));
 	pbuf[4] = '\0';
 
 	/* Hash the username if possible */