Skip to content

Commit fcd135c

Browse files
daztuckerdjmdjm
authored andcommitted
upstream commit
Skip passwords longer than 1k in length so clients can't easily DoS sshd by sending very long passwords, causing it to spend CPU hashing them. feedback djm@, ok markus@. Brought to our attention by tomas.kuthan at oracle.com, shilei-c at 360.cn and coredump at autistici.org Upstream-ID: d0af7d4a2190b63ba1d38eec502bc4be0be9e333
1 parent 324583e commit fcd135c

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

Diff for: auth-passwd.c

+6-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
1+
/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
22
/*
33
* Author: Tatu Ylonen <ylo@cs.hut.fi>
44
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -66,6 +66,8 @@ extern login_cap_t *lc;
6666
#define DAY (24L * 60 * 60) /* 1 day in seconds */
6767
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
6868

69+
#define MAX_PASSWORD_LEN 1024
70+
6971
void
7072
disable_forwarding(void)
7173
{
@@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
8789
static int expire_checked = 0;
8890
#endif
8991

92+
if (strlen(password) > MAX_PASSWORD_LEN)
93+
return 0;
94+
9095
#ifndef HAVE_CYGWIN
9196
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
9297
ok = 0;

0 commit comments

Comments
 (0)