Prevent excessively long username going to PAM.

This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations.  This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.

Based on github PR#212 from Mike Scott but implemented slightly
differently.  ok tim@ djm@

diff --git a/auth-pam.c b/auth-pam.c
index 83238215127453c6558f78284f3d153e465b2e10..d429ef13aaea14198b4de4e34f43e999a66f9206 100644 (file)
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
        const char *pam_user, *user = authctxt->user;
        const char **ptr_pam_user = &pam_user;
 
+#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
+       /* Protect buggy PAM implementations from excessively long usernames */
+       if (strlen(user) >= PAM_MAX_RESP_SIZE)
+               fatal("Username too long from %s port %d",
+                   ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+#endif
        if (sshpam_handle == NULL) {
                if (ssh == NULL) {
                        fatal("%s: called initially with no "