$NetBSD: patch-aa,v 1.2 2005/06/17 15:32:44 hira Exp $

--- src/protocol_auth.c	Fri May 27 14:28:54 2005
+++ src/protocol_auth.c	Fri May 27 14:28:30 2005
@@ -118,7 +118,7 @@
 
 bool send_metakey(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
+	char *buffer;
 	int len;
 	bool x;
 
@@ -129,10 +129,11 @@
 	/* Allocate buffers for the meta key */
 
 	if(!c->outkey)
-		c->outkey = xmalloc(len);
+		c->outkey = xmalloc_and_zero(len);
 
 	if(!c->outctx)
 		c->outctx = xmalloc_and_zero(sizeof(*c->outctx));
+	buffer = xmalloc_and_zero(2 * len + 1);
 	cp();
 	/* Copy random data to the buffer */
 
@@ -167,6 +168,7 @@
 	if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) {
 		logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
 			   c->name, c->hostname);
+		free(buffer);
 		return false;
 	}
 
@@ -191,35 +193,45 @@
 					c->outcipher->iv_len)) {
 			logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"),
 					c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
+			free(buffer);
 			return false;
 		}
 
 		c->status.encryptout = true;
 	}
 
+	free(buffer);
 	return x;
 }
 
 bool metakey_h(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
+	char *buffer, fmt[513];
 	int cipher, digest, maclength, compression;
 	int len;
 
 	cp();
 
-	if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) {
+	len = RSA_size(myself->connection->rsa_key);
+	buffer = xmalloc(2 * len + 1);
+	memset(buffer, 0, 2 * len + 1);
+
+	memset(fmt, 0, 513);
+	snprintf(fmt, 512, "%%*d %%d %%d %%d %%d %%%ds", 2 * len);
+
+	if(sscanf(c->buffer, fmt, &cipher, &digest, &maclength, &compression, buffer) != 5) {
 		logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name,
 			   c->hostname);
+		free(buffer);
 		return false;
 	}
 
-	len = RSA_size(myself->connection->rsa_key);
 
 	/* Check if the length of the meta key is all right */
 
 	if(strlen(buffer) != len * 2) {
 		logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength");
+		free(buffer);
 		return false;
 	}
 
@@ -240,6 +252,7 @@
 	if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) {	/* See challenge() */
 		logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"),
 			   c->name, c->hostname);
+		free(buffer);
 		return false;
 	}
 
@@ -258,6 +271,7 @@
 		
 		if(!c->incipher) {
 			logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname);
+			free(buffer);
 			return false;
 		}
 
@@ -267,6 +281,7 @@
 					c->incipher->iv_len)) {
 			logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"),
 					c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL));
+			free(buffer);
 			return false;
 		}
 
@@ -282,11 +297,13 @@
 
 		if(!c->indigest) {
 			logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname);
+			free(buffer);
 			return false;
 		}
 
 		if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) {
 			logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname);
+			free(buffer);
 			return false;
 		}
 	} else {
@@ -297,19 +314,22 @@
 
 	c->allow_request = CHALLENGE;
 
+	free(buffer);
 	return send_challenge(c);
 }
 
 bool send_challenge(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
+	char *buffer;
 	int len;
+	bool ret;
 
 	cp();
 
 	/* CHECKME: what is most reasonable value for len? */
 
 	len = RSA_size(c->rsa_key);
+	buffer = xmalloc_and_zero(2 * len + 1);
 
 	/* Allocate buffers for the challenge */
 
@@ -327,29 +347,37 @@
 
 	/* Send the challenge */
 
-	return send_request(c, "%d %s", CHALLENGE, buffer);
+	ret = send_request(c, "%d %s", CHALLENGE, buffer);
+
+	free(buffer);
+
+	return ret;
 }
 
 bool challenge_h(connection_t *c)
 {
-	char buffer[MAX_STRING_SIZE];
-	int len;
+	char *buffer, fmt[513];
+	int len = RSA_size(myself->connection->rsa_key);
 
 	cp();
 
-	if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) {
+	buffer = xmalloc(2 * len + 1);
+	memset(fmt, 0, 513);
+	snprintf(fmt, 512, "%%*d %%%ds", 2*len);
+
+	if(sscanf(c->buffer, fmt, buffer) != 1) {
 		logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name,
 			   c->hostname);
+		free(buffer);
 		return false;
 	}
 
-	len = RSA_size(myself->connection->rsa_key);
-
 	/* Check if the length of the challenge is all right */
 
 	if(strlen(buffer) != len * 2) {
 		logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name,
 			   c->hostname, "wrong challenge length");
+		free(buffer);
 		return false;
 	}
 
@@ -366,6 +394,7 @@
 
 	/* Rest is done by send_chal_reply() */
 
+	free(buffer);
 	return send_chal_reply(c);
 }
 
