From: djm@openbsd.org <djm@openbsd.org>
Date: Wed, 16 Aug 2023 16:14:11 +0000 (+0000)
Subject: upstream: defence-in-depth MaxAuthTries check in monitor; ok markus
X-Git-Tag: V_9_5_P1~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e706bca324a70f68dadfd0ec69edfdd486eed23a;p=thirdparty%2Fopenssh-portable.git

upstream: defence-in-depth MaxAuthTries check in monitor; ok markus

OpenBSD-Commit-ID: 65a4225dc708e2dae71315adf93677edace46c21
---

diff --git a/monitor.c b/monitor.c
index 1489c78d8..b3ed515ed 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.236 2023/05/10 10:04:20 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -342,6 +342,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
 				    auth_method, auth_submethod);
 			}
 		}
+		if (authctxt->failures > options.max_authtries) {
+			/* Shouldn't happen */
+			fatal_f("privsep child made too many authentication "
+			    "attempts");
+		}
 	}
 
 	if (!authctxt->valid)