From 387ae65b6cb91eb00c44c61420f1e107d07d9d8e Mon Sep 17 00:00:00 2001 From: dtucker Date: Sun, 12 Mar 2023 10:40:39 +0000 Subject: [PATCH] Put upper bound on number of entries in SSH2_MSG_EXT_INFO request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ --- usr.bin/ssh/kex.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr.bin/ssh/kex.c b/usr.bin/ssh/kex.c index 4a854cde114..3b08e34611f 100644 --- a/usr.bin/ssh/kex.c +++ b/usr.bin/ssh/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.177 2023/03/08 04:43:12 guenther Exp $ */ +/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -526,6 +526,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) return r; + if (ninfo >= 1024) { + error("SSH2_MSG_EXT_INFO with too many entries, expected " + "<=1024, received %u", ninfo); + return SSH_ERR_INVALID_FORMAT; + } for (i = 0; i < ninfo; i++) { if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) return r; -- 2.20.1