Fix server-triggered DoS in keyboard-interactive auth.

If a server sends a very large number as the num-prompts field, we'd loop round calling get_string and get_bool, which would run off the end of the buffer but still carefully return legal default values (the empty string and false), so we'd carry on piling pointless stuff into s->cur_prompt and using up lots of memory. Coverity pointed this out by warning that an untrusted server-provided value was being used as a loop bound. I'm not convinced that's an error in every case, but I must admit it pointed out a useful thing here! The fix is to check the error indicator on the BinarySource after reading each prompt from the input packet. Then we'll only keep allocating memory as long as there's actually data in the packet.
2025-01-09 17:38:00 +00:00 · 2019-05-04 15:58:21 +01:00 · 2019-05-04 15:58:21 +01:00 · 0d0b0a45bc
commit 0d0b0a45bc
parent 01bcae8c5d
1 changed files with 7 additions and 0 deletions
--- a/ssh2userauth.c
+++ b/ssh2userauth.c
@ -1252,6 +1252,13 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
                        ptrlen prompt = get_string(pktin);
                        bool echo = get_bool(pktin);

+                        if (get_err(pktin)) {
+                            ssh_proto_error(
+                                s->ppl.ssh, "Server sent truncated "
+                                "SSH_MSG_USERAUTH_INFO_REQUEST packet");
+                            return;
+                        }
+
                        sb = strbuf_new();
                        if (!prompt.len) {
                            put_datapl(sb, PTRLEN_LITERAL(