Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

- markus@cvs.openbsd.org 2011/08/01 19:18:15

     [gss-serv.c]
     prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
     report Adam Zabrock; ok djm@, deraadt@
  • Loading branch information...
commit e214305bf051ae78dbe9ad2ea880eaa5c1b2e7cd 1 parent da297b1
djm authored
Showing with 7 additions and 1 deletion.
  1. +4 −0 ChangeLog
  2. +3 −1 gss-serv.c
View
4 ChangeLog
@@ -13,6 +13,10 @@
fail open(2) with EPERM rather than SIGKILLing the whole process. libc
will call open() to do strerror() when NLS is enabled;
feedback and ok markus@
+ - markus@cvs.openbsd.org 2011/08/01 19:18:15
+ [gss-serv.c]
+ prevent post-auth resource exhaustion (int overflow leading to 4GB malloc);
+ report Adam Zabrock; ok djm@, deraadt@
20110624
- (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for
View
4 gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
name->length = get_u32(tok+offset);
offset += 4;
+ if (UINT_MAX - offset < name->length)
+ return GSS_S_FAILURE;
if (ename->length < offset+name->length)
return GSS_S_FAILURE;

0 comments on commit e214305

Please sign in to comment.
Something went wrong with that request. Please try again.