From 4510a622ea16390d18014e4523fbc9cbe492578c Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 14 Oct 2019 19:58:59 +0100
Subject: [PATCH] Tighten up a comparison in ssh2_userauth_add_sigblob.

If a malicious SSH agent were to send an RSA signature blob _longer_
than the key modulus while BUG_SSH2_RSA_PADDING was enabled, then it
could DoS the client, because the put_padding call would keep
allocating memory in 'strbuf *substr' until address space ran out.
---
 ssh2userauth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh2userauth.c b/ssh2userauth.c
index dace56f1..4d0d0392 100644
--- a/ssh2userauth.c
+++ b/ssh2userauth.c
@@ -1788,7 +1788,7 @@ static void ssh2_userauth_add_sigblob(
         /* debug("modulus length is %d\n", len); */
         /* debug("signature length is %d\n", siglen); */
 
-        if (mod_mp.len != sig_mp.len) {
+        if (mod_mp.len > sig_mp.len) {
             strbuf *substr = strbuf_new();
             put_data(substr, sigblob.ptr, sig_prefix_len);
             put_uint32(substr, mod_mp.len);