From: Damien Miller Date: Fri, 5 Aug 2011 20:16:46 +0000 (+1000) Subject: - markus@cvs.openbsd.org 2011/08/01 19:18:15 X-Git-Tag: V_5_9_P1~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=adb467fb692600c569d8129dfd96371b481d2653;p=thirdparty%2Fopenssh-portable.git - markus@cvs.openbsd.org 2011/08/01 19:18:15 [gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@ --- diff --git a/ChangeLog b/ChangeLog index ccca485f8..8b4676cfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ fail open(2) with EPERM rather than SIGKILLing the whole process. libc will call open() to do strerror() when NLS is enabled; feedback and ok markus@ + - markus@cvs.openbsd.org 2011/08/01 19:18:15 + [gss-serv.c] + prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); + report Adam Zabrock; ok djm@, deraadt@ 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for diff --git a/gss-serv.c b/gss-serv.c index 2ec7ea19c..c719c1306 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) name->length = get_u32(tok+offset); offset += 4; + if (UINT_MAX - offset < name->length) + return GSS_S_FAILURE; if (ename->length < offset+name->length) return GSS_S_FAILURE;