upstream: defence-in-depth MaxAuthTries check in monitor; ok markus

author djm@openbsd.org <djm@openbsd.org>

Wed, 16 Aug 2023 16:14:11 +0000 (16:14 +0000)

committer Damien Miller <djm@mindrot.org>

Fri, 18 Aug 2023 01:44:41 +0000 (11:44 +1000)
author djm@openbsd.org <djm@openbsd.org>
Wed, 16 Aug 2023 16:14:11 +0000 (16:14 +0000)
committer Damien Miller <djm@mindrot.org>
Fri, 18 Aug 2023 01:44:41 +0000 (11:44 +1000)
diff --git a/monitor.c b/monitor.c

index 1489c78d81ec523308623ccad5f249bba7eb54ea..b3ed515ed0bacb354f5b13e742870f76d762a9af 100644 (file)
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.236 2023/05/10 10:04:20 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.237 2023/08/16 16:14:11 djm Exp $ */
  /*
   * Copyright 2002 Niels Provos <provos@citi.umich.edu>
   * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -342,6 +342,11 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
                                     auth_method, auth_submethod);
                         }
                 }
+               if (authctxt->failures > options.max_authtries) {
+                       /* Shouldn't happen */
+                       fatal_f("privsep child made too many authentication "
+                           "attempts");
+               }
         }
  
         if (!authctxt->valid)
author	djm@openbsd.org <djm@openbsd.org>
	Wed, 16 Aug 2023 16:14:11 +0000 (16:14 +0000)
committer	Damien Miller <djm@mindrot.org>
	Fri, 18 Aug 2023 01:44:41 +0000 (11:44 +1000)