From 82d24bec3430077435648ea6b8929fe1e193c600 Mon Sep 17 00:00:00 2001 From: delphij Date: Thu, 10 Aug 2017 06:36:37 +0000 Subject: [PATCH] Apply upstream fix: Skip passwords longer than 1k in length so clients can't easily DoS sshd by sending very long passwords, causing it to spend CPU hashing them. feedback djm@, ok markus@. Brought to our attention by tomas.kuthan at oracle.com, shilei-c at 360.cn and coredump at autistici.org Security: CVE-2016-6515 Security: FreeBSD-SA-17:06.openssh git-svn-id: svn://svn.freebsd.org/base/stable/10@322341 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- crypto/openssh/auth-passwd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c index 63ccf3cab..f6825ecc0 100644 --- a/crypto/openssh/auth-passwd.c +++ b/crypto/openssh/auth-passwd.c @@ -66,6 +66,8 @@ extern login_cap_t *lc; #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ +#define MAX_PASSWORD_LEN 1024 + void disable_forwarding(void) { @@ -87,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password) static int expire_checked = 0; #endif + if (strlen(password) > MAX_PASSWORD_LEN) + return 0; + #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; -- 2.45.0