From c9d92e9e6c46c5543f9261e1ac7893284df47834 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Tue, 11 Jun 2024 01:22:25 +0000
Subject: [PATCH] fix off-by-one comparison for PerSourcePenalty
 overflow:deny-all mode

---
 usr.bin/ssh/srclimit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr.bin/ssh/srclimit.c b/usr.bin/ssh/srclimit.c
index 011b83a4d3a..c89deefa8cf 100644
--- a/usr.bin/ssh/srclimit.c
+++ b/usr.bin/ssh/srclimit.c
@@ -259,7 +259,7 @@ srclimit_penalty_check_allow(int sock, const char **reason)
 			return 1;
 		}
 	}
-	if (npenalties > (size_t)penalty_cfg.max_sources &&
+	if (npenalties >= (size_t)penalty_cfg.max_sources &&
 	    penalty_cfg.overflow_mode == PER_SOURCE_PENALTY_OVERFLOW_DENY_ALL) {
 		*reason = "too many penalised addresses";
 		return 0;
-- 
2.20.1