diff --git a/plugins/ssh-base/sshd.c b/plugins/ssh-base/sshd.c index 3fd245a0..d479e31d 100644 --- a/plugins/ssh-base/sshd.c +++ b/plugins/ssh-base/sshd.c @@ -1495,7 +1495,7 @@ again: /* CHRQ pty-req */ case SSHS_NVC_CHRQ_TERM: - strncpy(pss->args.pty.term, pss->name, + memcpy(pss->args.pty.term, pss->name, sizeof(pss->args.pty.term) - 1); state_get_u32(pss, SSHS_NVC_CHRQ_TW); break; @@ -1975,7 +1975,7 @@ lws_callback_raw_sshd(struct lws *wsi, enum lws_callback_reasons reason, struct per_session_data__sshd *pss = (struct per_session_data__sshd *)user, **p; struct per_vhost_data__sshd *vhd = NULL; - uint8_t buf[LWS_PRE + 1024], *pp, *ps = &buf[LWS_PRE + 512]; + uint8_t buf[LWS_PRE + 1024], *pp, *ps = &buf[LWS_PRE + 512], *ps1 = NULL; const struct lws_protocol_vhost_options *pvo; const struct lws_protocols *prot; struct lws_ssh_channel *ch; @@ -2233,13 +2233,13 @@ lws_callback_raw_sshd(struct lws *wsi, enum lws_callback_reasons reason, lwsl_notice("pubkey too large\n"); goto bail; } - ps = sshd_zalloc(n); - if (!ps) + ps1 = sshd_zalloc(n); + if (!ps1) goto bail; - pp = ps + 5; + pp = ps1 + 5; *pp++ = SSH_MSG_USERAUTH_PK_OK; if (lws_cstr(&pp, pss->ua->alg, 64)) { - free(ps); + free(ps1); goto bail; } lws_p32(pp, pss->ua->pubkey_len); @@ -2451,7 +2451,7 @@ bail: lws_kex_destroy(pss); break; case SSH_WT_UA_PK_OK: - free(ps); + free(ps1); break; case SSH_WT_CH_CLOSE: if (ch->received_close) { @@ -2480,7 +2480,7 @@ bail: (pss->wt_tail + 1) & 7; } else if (o == SSH_WT_UA_PK_OK) /* free it either way */ - free(ps); + free(ps1); ch = ssh_get_server_ch(pss, 0);