diff options
author | Damien Miller <djm@mindrot.org> | 2023-07-14 15:34:47 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2023-07-14 15:34:47 +1000 |
commit | 4b94d09542e36ebde2eb9ad89bc68431609932de (patch) | |
tree | 9f2ce7892faaf14acbb1d24ef0becd657bd05cc5 /auth-pam.c | |
parent | 2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0 (diff) |
portable-specific int overflow defence-in-depth
These too are unreachable, but we want the code to be safe regardless of
context. Reported by Yair Mizrahi @ JFrog
Diffstat (limited to 'auth-pam.c')
-rw-r--r-- | auth-pam.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -848,7 +848,7 @@ sshpam_query(void *ctx, char **name, char **info, size_t plen; u_char type; char *msg; - size_t len, mlen; + size_t len, mlen, nmsg = 0; int r; debug3("PAM: %s entering", __func__); @@ -861,6 +861,8 @@ sshpam_query(void *ctx, char **name, char **info, plen = 0; *echo_on = xmalloc(sizeof(u_int)); while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) { + if (++nmesg > PAM_MAX_NUM_MSG) + fatal_f("too many query messages"); if ((r = sshbuf_get_u8(buffer, &type)) != 0 || (r = sshbuf_get_cstring(buffer, &msg, &mlen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); |