summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2011-08-01 19:18:16 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2011-08-01 19:18:16 +0000
commitd19475419ab822aa1374a4e448a06e5114202459 (patch)
treee64610a338764e1a83dd2093da713af57ebf5411 /usr.bin/ssh
parent1e57dc8578d2ee0a578b754065ff8cb373645b3e (diff)
prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
report Adam Zabrock; ok djm@, deraadt@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/gss-serv.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c
index 5dc73f1513c..1bbc988a69f 100644
--- a/usr.bin/ssh/gss-serv.c
+++ b/usr.bin/ssh/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -225,6 +225,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
name->length = get_u32(tok+offset);
offset += 4;
+ if (UINT_MAX - offset < name->length)
+ return GSS_S_FAILURE;
if (ename->length < offset+name->length)
return GSS_S_FAILURE;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 04:04:01 +0000