42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From d95af508e78c0cd3dce56b83853baaa59ae295cf Mon Sep 17 00:00:00 2001
|
|
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
|
|
Date: Sun, 12 Mar 2023 10:40:39 +0000
|
|
Subject: [PATCH] upstream: Limit number of entries in SSH2_MSG_EXT_INFO
|
|
|
|
request. This is already constrained by the maximum SSH packet size but this
|
|
makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
|
|
|
|
OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/openssh/openssh-portable/commit/d95af508e78c0cd3dce56b83853baaa59ae295cf
|
|
---
|
|
kex.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/kex.c b/kex.c
|
|
index b681c58..2afa087 100644
|
|
--- a/kex.c
|
|
+++ b/kex.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* $OpenBSD: kex.c,v 1.176 2023/03/06 12:14:48 dtucker Exp $ */
|
|
+/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
|
|
/*
|
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
|
*
|
|
@@ -603,6 +603,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
|
|
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
|
|
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
|
|
return r;
|
|
+ if (ninfo >= 1024) {
|
|
+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
|
+ "<=1024, received %u", ninfo);
|
|
+ return SSH_ERR_INVALID_FORMAT;
|
|
+ }
|
|
for (i = 0; i < ninfo; i++) {
|
|
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
|
return r;
|
|
--
|
|
2.33.0
|
|
|