From 150a5466926078750dbca3d206c09ab8758730f8 Mon Sep 17 00:00:00 2001 From: mouring Date: Fri, 22 Mar 2002 01:08:07 +0000 Subject: [PATCH] - markus@cvs.openbsd.org 2002/03/14 15:24:27 [sshconnect1.c] don't trust size sent by (rogue) server; noted by s.esser@e-matters.de --- ChangeLog | 3 +++ sshconnect1.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0f7aac43..6fa52672 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - itojun@cvs.openbsd.org 2002/03/11 03:19:53 [sftp-client.c] indent + - markus@cvs.openbsd.org 2002/03/14 15:24:27 + [sshconnect1.c] + don't trust size sent by (rogue) server; noted by s.esser@e-matters.de 20020317 - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted, diff --git a/sshconnect1.c b/sshconnect1.c index d7722f4b..39369413 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.48 2002/02/11 16:15:46 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.49 2002/03/14 15:24:27 markus Exp $"); #include #include @@ -459,6 +459,8 @@ try_krb4_authentication(void) /* Get server's response. */ reply = packet_get_string((u_int *) &auth.length); + if (auth.length >= MAX_KTXT_LEN) + fatal("Kerberos v4: Malformed response from server"); memcpy(auth.dat, reply, auth.length); xfree(reply); -- 2.45.1