[src/trunk]: src/crypto/external/bsd/openssh/dist CID 1356388: Prevent DoS fr...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1e5cbfe3e273
branches:  trunk
changeset: 344193:1e5cbfe3e273
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Mar 16 21:06:06 2016 +0000

description:
CID 1356388: Prevent DoS from Tainted scalar

diffstat:

 crypto/external/bsd/openssh/dist/kex.c |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diffs (29 lines):

diff -r 9312aca1b26c -r 1e5cbfe3e273 crypto/external/bsd/openssh/dist/kex.c
--- a/crypto/external/bsd/openssh/dist/kex.c    Wed Mar 16 21:01:28 2016 +0000
+++ b/crypto/external/bsd/openssh/dist/kex.c    Wed Mar 16 21:06:06 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kex.c,v 1.14 2016/03/11 01:55:00 christos Exp $        */
+/*     $NetBSD: kex.c,v 1.15 2016/03/16 21:06:06 christos Exp $        */
 /* $OpenBSD: kex.c,v 1.117 2016/02/08 10:57:07 djm Exp $ */
 
 /*
@@ -26,7 +26,7 @@
  */
 
 #include "includes.h"
-__RCSID("$NetBSD: kex.c,v 1.14 2016/03/11 01:55:00 christos Exp $");
+__RCSID("$NetBSD: kex.c,v 1.15 2016/03/16 21:06:06 christos Exp $");
 #include <sys/param.h> /* MAX roundup */
 
 #include <signal.h>
@@ -364,6 +364,10 @@
        ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
        if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
                return r;
+       if (ninfo > 1024) {
+               fatal("%s: too many %u fields", __func__, ninfo);
+               return SSH_ERR_INTERNAL_ERROR;
+       }
        for (i = 0; i < ninfo; i++) {
                if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
                        return r;