upstream: Limit number of entries in SSH2_MSG_EXT_INFO

request. This is already constrained by the maximum SSH packet size but this makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
author: dtucker@openbsd.org <dtucker@openbsd.org> 2023-03-12 11:40:39 +0100
committer: Darren Tucker <dtucker@dtucker.net> 2023-03-12 12:02:18 +0100
commit: d95af508e78c0cd3dce56b83853baaa59ae295cf (patch)
tree: 5e328ef48b7505ca6a71fd0e64fbe4ff73213a46 /kex.c
parent: upstream: calloc can return NULL but xcalloc can't. (diff)
download: openssh-d95af508e78c0cd3dce56b83853baaa59ae295cf.tar.xz
openssh-d95af508e78c0cd3dce56b83853baaa59ae295cf.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/kex.c b/kex.c
index 7afb838cf..b4e2ab75f 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.177 2023/03/08 04:43:12 guenther Exp $ */
+/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -541,6 +541,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
 	ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
 	if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
 		return r;
+	if (ninfo >= 1024) {
+		error("SSH2_MSG_EXT_INFO with too many entries, expected "
+		    "<=1024, received %u", ninfo);
+		return SSH_ERR_INVALID_FORMAT;
+	}
 	for (i = 0; i < ninfo; i++) {
 		if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
 			return r;
author	dtucker@openbsd.org <dtucker@openbsd.org>	2023-03-12 11:40:39 +0100
committer	Darren Tucker <dtucker@dtucker.net>	2023-03-12 12:02:18 +0100
commit	d95af508e78c0cd3dce56b83853baaa59ae295cf (patch)
tree	5e328ef48b7505ca6a71fd0e64fbe4ff73213a46 /kex.c
parent	upstream: calloc can return NULL but xcalloc can't. (diff)
download	openssh-d95af508e78c0cd3dce56b83853baaa59ae295cf.tar.xz openssh-d95af508e78c0cd3dce56b83853baaa59ae295cf.zip