Subject: Re: PAM vulnerability in portable OpenSSH
To: Damien Miller <>
From: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <>
List: current-users
Date: 10/02/2003 08:41:58
Damien Miller <> writes:
> Dag-Erling Sm=F8rgrav wrote:
> > XSSO page 89: "The parameter msg is a pointer to an array of length
> > num_msg of the pam_message structure".
> You don't seem to agree. The PAM code that you wrote for FreeBSD's
> OpenSSH treats msg as an array of pointers, not a pointer to an array
> of structs.

Not quite.  Part of the code treats it as an array of pointers, and
part of it treats it as an array of structs.  That is quite simply a
mistake that went undetected because it has no impact in the common
case (num_msg =3D=3D 1) and I don't know of any PAM modules which exercise
the uncommon case (num_msg > 1).  In hindsight, of course, I should
have written such a module for testing purposes.

> See my point? One of the vulnerabilities in the recent sshpam.adv was
> due to a similar confusion.

Not "a similar confusion"; it is the exact same code (which btw was
cut'n'pasted from OpenPAM's openpam_ttyconv(3)).

Dag-Erling Sm=F8rgrav -