portable-specific int overflow defence-in-depth

These too are unreachable, but we want the code to be safe regardless of context. Reported by Yair Mizrahi @ JFrog
author: Damien Miller <djm@mindrot.org> 2023-07-14 15:34:47 +1000
committer: Damien Miller <djm@mindrot.org> 2023-07-14 15:34:47 +1000
commit: 4b94d09542e36ebde2eb9ad89bc68431609932de (patch)
tree: 9f2ce7892faaf14acbb1d24ef0becd657bd05cc5 /auth-pam.c
parent: 2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/auth-pam.c b/auth-pam.c
index f5a06b1f..205715f0 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -848,7 +848,7 @@ sshpam_query(void *ctx, char **name, char **info,
 	size_t plen;
 	u_char type;
 	char *msg;
-	size_t len, mlen;
+	size_t len, mlen, nmsg = 0;
 	int r;
 
 	debug3("PAM: %s entering", __func__);
@@ -861,6 +861,8 @@ sshpam_query(void *ctx, char **name, char **info,
 	plen = 0;
 	*echo_on = xmalloc(sizeof(u_int));
 	while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
+		if (++nmesg > PAM_MAX_NUM_MSG)
+			fatal_f("too many query messages");
 		if ((r = sshbuf_get_u8(buffer, &type)) != 0 ||
 		    (r = sshbuf_get_cstring(buffer, &msg, &mlen)) != 0)
 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
author	Damien Miller <djm@mindrot.org>	2023-07-14 15:34:47 +1000
committer	Damien Miller <djm@mindrot.org>	2023-07-14 15:34:47 +1000
commit	4b94d09542e36ebde2eb9ad89bc68431609932de (patch)
tree	9f2ce7892faaf14acbb1d24ef0becd657bd05cc5 /auth-pam.c
parent	2ee48adb9fc8692e8d6ac679dcc9f35e89ad68f0 (diff)