- markus@cvs.openbsd.org 2002/03/14 15:24:27

     [sshconnect1.c]
     don't trust size sent by (rogue) server; noted by s.esser@e-matters.de

2 files changed, 7 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 6a80682c7..1d512e6fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
    - itojun@cvs.openbsd.org 2002/03/11 03:19:53
      [sftp-client.c]
      indent
+   - markus@cvs.openbsd.org 2002/03/14 15:24:27
+     [sshconnect1.c]
+     don't trust size sent by (rogue) server; noted by s.esser@e-matters.de
 
 20020317
  - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is wanted,
@@ -7855,4 +7858,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1926 2002/03/22 01:05:27 mouring Exp $
+$Id: ChangeLog,v 1.1927 2002/03/22 01:08:07 mouring Exp $
diff --git a/sshconnect1.c b/sshconnect1.c
index d7722f4b9..393694138 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.48 2002/02/11 16:15:46 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.49 2002/03/14 15:24:27 markus Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -459,6 +459,8 @@ try_krb4_authentication(void)
 
                 /* Get server's response. */
                 reply = packet_get_string((u_int *) &auth.length);
+                if (auth.length >= MAX_KTXT_LEN)
+                        fatal("Kerberos v4: Malformed response from server");
                 memcpy(auth.dat, reply, auth.length);
                 xfree(reply);