- markus@cvs.openbsd.org 2002/03/14 15:24:27
[sshconnect1.c]
don't trust size sent by (rogue) server; noted by s.esser@e-matters.de
diff --git a/ChangeLog b/ChangeLog
index 6a80682..1d512e6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
- itojun@cvs.openbsd.org 2002/03/11 03:19:53
[sftp-client.c]
indent
+ - markus@cvs.openbsd.org 2002/03/14 15:24:27
+ [sshconnect1.c]
+ don't trust size sent by (rogue) server; noted by s.esser@e-matters.de
20020317
- (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7855,4 +7858,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1926 2002/03/22 01:05:27 mouring Exp $
+$Id: ChangeLog,v 1.1927 2002/03/22 01:08:07 mouring Exp $
diff --git a/sshconnect1.c b/sshconnect1.c
index d7722f4..3936941 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.48 2002/02/11 16:15:46 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.49 2002/03/14 15:24:27 markus Exp $");
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -459,6 +459,8 @@
/* Get server's response. */
reply = packet_get_string((u_int *) &auth.length);
+ if (auth.length >= MAX_KTXT_LEN)
+ fatal("Kerberos v4: Malformed response from server");
memcpy(auth.dat, reply, auth.length);
xfree(reply);