2 files changed, 12 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 845b5a9aa..852fa1d3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -59,6 +59,7 @@
  - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai 
    <nalin@redhat.com>
  - (djm) Update spec files for release 
+ - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
 
 20020625
  - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
@@ -1158,4 +1159,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2298 2002/06/26 13:57:12 djm Exp $
+$Id: ChangeLog,v 1.2299 2002/06/26 13:57:59 djm Exp $
diff --git a/auth2-pam.c b/auth2-pam.c
index dd29ebd48..99aedeaeb 100644
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.12 2002/01/22 12:43:13 djm Exp $");
+RCSID("$Id: auth2-pam.c,v 1.13 2002/06/26 13:58:00 djm Exp $");
 
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -140,6 +140,15 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
         nresp = packet_get_int();       /* Number of responses. */
         debug("got %d responses", nresp);
 
+
+        if (nresp != context_pam2.num_expected)
+                fatal("%s: Received incorrect number of responses "
+                    "(expected %u, received %u)", __func__, nresp,
+                    context_pam2.num_expected);
+
+        if (nresp > 100)
+                fatal("%s: too many replies", __func__);
+
         for (i = 0; i < nresp; i++) {
                 int j = context_pam2.prompts[i];