- (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS

diff --git a/ChangeLog b/ChangeLog
index cf0398f523d3786113f25a711cfbcd2dae00e817..6f3c4ca1e4e205f33778d08ffdc2220a2bd381a5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -59,6 +59,7 @@
  - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai 
    <nalin@redhat.com>
  - (djm) Update spec files for release 
+ - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
 
 20020625
  - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh

diff --git a/auth2-pam.c b/auth2-pam.c
index e442ca208abb429a2140abfcfbc197fd0bc1d976..b2bfa8130649958de564f64fcfebed434f1f5af0 100644 (file)
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -140,6 +140,15 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
        nresp = packet_get_int();       /* Number of responses. */
        debug("got %d responses", nresp);
 
+
+       if (nresp != context_pam2.num_expected)
+               fatal("%s: Received incorrect number of responses "
+                   "(expected %u, received %u)", __func__, nresp,
+                   context_pam2.num_expected);
+
+       if (nresp > 100)
+               fatal("%s: too many replies", __func__);
+
        for (i = 0; i < nresp; i++) {
                int j = context_pam2.prompts[i];