- markus@cvs.openbsd.org 2011/08/01 19:18:15

[gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@
2011-08-06 06:16:46 +10:00 · 2011-08-06 06:16:46 +10:00 · adb467fb69
parent 35e48198a8
commit adb467fb69
2 changed files with 7 additions and 1 deletions
--- a/4
+++ b/4
@ -13,6 +13,10 @@
     fail open(2) with EPERM rather than SIGKILLing the whole process. libc
     will call open() to do strerror() when NLS is enabled;
     feedback and ok markus@
+   - markus@cvs.openbsd.org 2011/08/01 19:18:15
+     [gss-serv.c]
+     prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
+     report Adam Zabrock; ok djm@, deraadt@

 20110624
 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
--- a/gss-serv.c
+++ b/gss-serv.c
@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */

 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 	name->length = get_u32(tok+offset);
 	offset += 4;

+	if (UINT_MAX - offset < name->length)
+		return GSS_S_FAILURE;
 	if (ename->length < offset+name->length)
 		return GSS_S_FAILURE;