upstream: Limit number of entries in SSH2_MSG_EXT_INFO

request. This is already constrained by the maximum SSH packet size but this
makes it explicit.  Prompted by Coverity CID 291868, ok djm@ markus@

OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
This commit is contained in:
dtucker@openbsd.org 2023-03-12 10:40:39 +00:00 committed by Darren Tucker
parent 8f287ba60d
commit d95af508e7
No known key found for this signature in database
1 changed files with 6 additions and 1 deletions

7
kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.177 2023/03/08 04:43:12 guenther Exp $ */ /* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* *
@ -541,6 +541,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
return r; return r;
if (ninfo >= 1024) {
error("SSH2_MSG_EXT_INFO with too many entries, expected "
"<=1024, received %u", ninfo);
return SSH_ERR_INVALID_FORMAT;
}
for (i = 0; i < ninfo; i++) { for (i = 0; i < ninfo; i++) {
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
return r; return r;