* Backport from 4.4p1 (since I don't have an updated version of the GSSAPI

  patch yet):
  - CVE-2006-4924: Fix a pre-authentication denial of service found by
    Tavis Ormandy, that would cause sshd(8) to spin until the login grace
    time expired (closes: #389995).

4 files changed, 43 insertions, 6 deletions

diff --git a/deattack.c b/deattack.c
index 8b55d6686..d174abc76 100644
--- a/deattack.c
+++ b/deattack.c
@@ -27,6 +27,24 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
 #include "xmalloc.h"
 #include "deattack.h"
 
+/*
+ * CRC attack detection has a worst-case behaviour that is O(N^3) over
+ * the number of identical blocks in a packet. This behaviour can be 
+ * exploited to create a limited denial of service attack. 
+ * 
+ * However, because we are dealing with encrypted data, identical
+ * blocks should only occur every 2^35 maximally-sized packets or so. 
+ * Consequently, we can detect this DoS by looking for identical blocks
+ * in a packet.
+ *
+ * The parameter below determines how many identical blocks we will
+ * accept in a single packet, trading off between attack detection and
+ * likelihood of terminating a legitimate connection. A value of 32 
+ * corresponds to an average of 2^40 messages before an attack is
+ * misdetected
+ */
+#define MAX_IDENTICAL   32
+
 /* SSH Constants */
 #define SSH_MAXBLOCKS   (32 * 1024)
 #define SSH_BLOCKSIZE   (8)
@@ -87,7 +105,7 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
         static u_int16_t *h = (u_int16_t *) NULL;
         static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
         u_int32_t i, j;
-        u_int32_t l;
+        u_int32_t l, same;
         u_char *c;
         u_char *d;
 
@@ -133,17 +151,21 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
         if (IV)
                 h[HASH(IV) & (n - 1)] = HASH_IV;
 
-        for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+        for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
                 for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
                     i = (i + 1) & (n - 1)) {
                         if (h[i] == HASH_IV) {
                                 if (!CMP(c, IV)) {
+                                        if (++same > MAX_IDENTICAL)
+                                                return (DEATTACK_DOS_DETECTED);
                                         if (check_crc(c, buf, len, IV))
                                                 return (DEATTACK_DETECTED);
                                         else
                                                 break;
                                 }
                         } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+                                if (++same > MAX_IDENTICAL)
+                                        return (DEATTACK_DOS_DETECTED);
                                 if (check_crc(c, buf, len, IV))
                                         return (DEATTACK_DETECTED);
                                 else
diff --git a/deattack.h b/deattack.h
index ddccdea50..cd3d7aa3b 100644
--- a/deattack.h
+++ b/deattack.h
@@ -25,6 +25,7 @@
 /* Return codes */
 #define DEATTACK_OK             0
 #define DEATTACK_DETECTED       1
+#define DEATTACK_DOS_DETECTED   2
 
 int      detect_attack(u_char *, u_int32_t, u_char[8]);
 #endif
diff --git a/debian/changelog b/debian/changelog
index 5e321f09b..705a61580 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,16 @@
-openssh (1:4.3p2-4) UNRELEASED; urgency=low
+openssh (1:4.3p2-4) UNRELEASED; urgency=high
+
+  * Backport from 4.4p1 (since I don't have an updated version of the GSSAPI
+    patch yet):
+    - CVE-2006-4924: Fix a pre-authentication denial of service found by
+      Tavis Ormandy, that would cause sshd(8) to spin until the login grace
+      time expired (closes: #389995).
 
   * Read /etc/default/locale as well as /etc/environment (thanks, Raphaël
     Hertzog; closes: #369395).
   * Remove no-longer-used ssh/insecure_rshd debconf template.
   * Make ssh/insecure_telnetd Type: error (closes: #388946).
+
   * debconf template translations:
     - Update Portuguese (thanks, Rui Branco; closes: #381942).
     - Update Spanish (thanks, Javier Fernández-Sanguino Peña;
diff --git a/packet.c b/packet.c
index 3208383e8..827ae16b3 100644
--- a/packet.c
+++ b/packet.c
@@ -992,9 +992,16 @@ packet_read_poll1(void)
          * (C)1998 CORE-SDI, Buenos Aires Argentina
          * Ariel Futoransky(futo@core-sdi.com)
          */
-        if (!receive_context.plaintext &&
-            detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
-                packet_disconnect("crc32 compensation attack: network attack detected");
+        if (!receive_context.plaintext) {
+                switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
+                case DEATTACK_DETECTED:
+                        packet_disconnect("crc32 compensation attack: "
+                            "network attack detected");
+                case DEATTACK_DOS_DETECTED:
+                        packet_disconnect("deattack denial of "
+                            "service detected");
+                }
+        }
 
         /* Decrypt data to incoming_packet. */
         buffer_clear(&incoming_packet);