Prevent excessively long username going to PAM.

This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. Based on github PR#212 from Mike Scott but implemented slightly differently. ok tim@ djm@
author: Darren Tucker <dtucker@dtucker.net> 2020-11-11 12:30:46 +1100
committer: Darren Tucker <dtucker@dtucker.net> 2020-11-11 14:05:30 +1100
commit: fcf429a4c69d30d8725612a55b37181594da8ddf (patch)
tree: ffd46ec44e6a9c60608a511755bd785d9c9605f1
parent: 10dce8ff68ef615362cfcab0c0cc33ce524e7682 (diff)
download: openssh-git-fcf429a4c69d30d8725612a55b37181594da8ddf.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/auth-pam.c b/auth-pam.c
index 83238215..d429ef13 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
 	const char *pam_user, *user = authctxt->user;
 	const char **ptr_pam_user = &pam_user;
 
+#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE)
+	/* Protect buggy PAM implementations from excessively long usernames */
+	if (strlen(user) >= PAM_MAX_RESP_SIZE)
+		fatal("Username too long from %s port %d",
+		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
+#endif
 	if (sshpam_handle == NULL) {
 		if (ssh == NULL) {
 			fatal("%s: called initially with no "
author	Darren Tucker <dtucker@dtucker.net>	2020-11-11 12:30:46 +1100
committer	Darren Tucker <dtucker@dtucker.net>	2020-11-11 14:05:30 +1100
commit	fcf429a4c69d30d8725612a55b37181594da8ddf (patch)
tree	ffd46ec44e6a9c60608a511755bd785d9c9605f1
parent	10dce8ff68ef615362cfcab0c0cc33ce524e7682 (diff)
download	openssh-git-fcf429a4c69d30d8725612a55b37181594da8ddf.tar.gz