Integer overflow and security

http://www.openssh.org/txt/preauth.adv

See the change:

diff -u -r1.18 auth2-chall.c
— auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
+++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
@@ -256,6 +256,8 @@

authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
+ if (nresp > 100)
+ fatal(“input_userauth_info_response: nresp too big %u”, nresp);
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++) [/code] nresp * sizeof(char*) was an overflow bug.

Similar Posts:

Post a Comment

Your email is never published nor shared.