diff options
author | Darren Tucker <dtucker@dtucker.net> | 2020-11-11 12:30:46 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2020-11-11 14:05:30 +1100 |
commit | fcf429a4c69d30d8725612a55b37181594da8ddf (patch) | |
tree | ffd46ec44e6a9c60608a511755bd785d9c9605f1 | |
parent | 10dce8ff68ef615362cfcab0c0cc33ce524e7682 (diff) | |
download | openssh-git-fcf429a4c69d30d8725612a55b37181594da8ddf.tar.gz |
Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some other
PAM application.
Based on github PR#212 from Mike Scott but implemented slightly
differently. ok tim@ djm@
-rw-r--r-- | auth-pam.c | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -689,6 +689,12 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) const char *pam_user, *user = authctxt->user; const char **ptr_pam_user = &pam_user; +#if defined(PAM_SUN_CODEBASE) && defined(PAM_MAX_RESP_SIZE) + /* Protect buggy PAM implementations from excessively long usernames */ + if (strlen(user) >= PAM_MAX_RESP_SIZE) + fatal("Username too long from %s port %d", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); +#endif if (sshpam_handle == NULL) { if (ssh == NULL) { fatal("%s: called initially with no " |