From fcf429a4c69d30d8725612a55b37181594da8ddf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 11 Nov 2020 12:30:46 +1100 Subject: [PATCH] Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. Based on github PR#212 from Mike Scott but implemented slightly differently. ok tim@ djm@ --- auth-pam.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/auth-pam.c b/auth-pam.c index 832382151..d429ef13a 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) const char *pam_user, *user = authctxt->user; const char **ptr_pam_user = &pam_user; +#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE) + /* Protect buggy PAM implementations from excessively long usernames */ + if (strlen(user) >= PAM_MAX_RESP_SIZE) + fatal("Username too long from %s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); +#endif if (sshpam_handle == NULL) { if (ssh == NULL) { fatal("%s: called initially with no "