nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Tighten up a comparison in ssh2_userauth_add_sigblob.

Browse Source 
If a malicious SSH agent were to send an RSA signature blob _longer_
than the key modulus while BUG_SSH2_RSA_PADDING was enabled, then it
could DoS the client, because the put_padding call would keep
allocating memory in 'strbuf *substr' until address space ran out.
This commit is contained in:
Simon Tatham 2019-10-14 19:58:59 +01:00
parent f955300576
commit 4510a622ea
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssh2userauth.c
View File

@ -1788,7 +1788,7 @@ static void ssh2_userauth_add_sigblob(
/* debug("modulus length is %d\n", len); */
/* debug("signature length is %d\n", siglen); */
if (mod_mp.len != sig_mp.len) {
if (mod_mp.len > sig_mp.len) {
strbuf *substr = strbuf_new();
put_data(substr, sigblob.ptr, sig_prefix_len);
put_uint32(substr, mod_mp.len);