- markus@cvs.openbsd.org 2011/08/01 19:18:15

[gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@
author: Damien Miller <djm@mindrot.org> 2011-08-06 06:16:46 +1000
committer: Damien Miller <djm@mindrot.org> 2011-08-06 06:16:46 +1000
commit: adb467fb692600c569d8129dfd96371b481d2653 (patch)
tree: 50728a7b11d956711f722b62f378a4905d0f5229 /gss-serv.c
parent: 35e48198a80aba7361bce8dde4fba464800e3ff6 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/gss-serv.c b/gss-serv.c
index 2ec7ea19..c719c130 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -229,6 +229,8 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 	name->length = get_u32(tok+offset);
 	offset += 4;
 
+	if (UINT_MAX - offset < name->length)
+		return GSS_S_FAILURE;
 	if (ename->length < offset+name->length)
 		return GSS_S_FAILURE;
author	Damien Miller <djm@mindrot.org>	2011-08-06 06:16:46 +1000
committer	Damien Miller <djm@mindrot.org>	2011-08-06 06:16:46 +1000
commit	adb467fb692600c569d8129dfd96371b481d2653 (patch)
tree	50728a7b11d956711f722b62f378a4905d0f5229 /gss-serv.c
parent	35e48198a80aba7361bce8dde4fba464800e3ff6 (diff)