From ca613249a00b64b2eea9f52d3834b55c28cf2862 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 10 Feb 2018 05:48:46 +0000
Subject: [PATCH] upstream commit

Refuse to create a certificate with an unusable number of
principals; Prompted by gdestuynder via github

OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29
---
 ssh-keygen.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssh-keygen.c b/ssh-keygen.c
index d81f42cb6..9812c0d2a 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.311 2018/02/10 05:43:26 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.312 2018/02/10 05:48:46 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1697,6 +1697,8 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
 			}
 			free(otmp);
 		}
+		if (n > SSHKEY_CERT_MAX_PRINCIPALS)
+			fatal("Too many certificate principals specified");
 	
 		tmp = tilde_expand_filename(argv[i], pw->pw_uid);
 		if ((r = sshkey_load_public(tmp, &public, &comment)) != 0)