From 0fa88fdcfec1ee4cfc8f9d1708803521d546c574 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 14 Sep 2011 17:28:41 +0300
Subject: [PATCH] Auth: fix possible off-by-one

No security impact, only triggable by specific API call
---
 src/auth.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 7238e9ab..0e018730 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -2004,7 +2004,7 @@ const char *ssh_userauth_kbdint_getanswer(ssh_session session, unsigned int i) {
                    || session->kbdint->answers == NULL) {
     return NULL;
   }
-  if (i > session->kbdint->nanswers) {
+  if (i >= session->kbdint->nanswers) {
     return NULL;
   }
 
@@ -2031,7 +2031,7 @@ int ssh_userauth_kbdint_setanswer(ssh_session session, unsigned int i,
   if (session == NULL)
     return -1;
   if (answer == NULL || session->kbdint == NULL ||
-      i > session->kbdint->nprompts) {
+      i >= session->kbdint->nprompts) {
     ssh_set_error_invalid(session, __FUNCTION__);
     return -1;
   }