upstream: Limit number of entries in SSH2_MSG_EXT_INFO
request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
This commit is contained in:
parent
8f287ba60d
commit
d95af508e7
7
kex.c
7
kex.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: kex.c,v 1.177 2023/03/08 04:43:12 guenther Exp $ */
|
/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
@ -541,6 +541,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
|
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
|
||||||
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
|
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
|
||||||
return r;
|
return r;
|
||||||
|
if (ninfo >= 1024) {
|
||||||
|
error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
||||||
|
"<=1024, received %u", ninfo);
|
||||||
|
return SSH_ERR_INVALID_FORMAT;
|
||||||
|
}
|
||||||
for (i = 0; i < ninfo; i++) {
|
for (i = 0; i < ninfo; i++) {
|
||||||
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
Loading…
Reference in New Issue