Don't overflow rsa bits. As seen on bugtraq and elsewhere.
Submitted by: drow@false.org Reviewed by: ache PR: 14749
This commit is contained in:
Warner Losh
parent
656dc41609
commit
272f7058db
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=23147
1 changed files with 25 additions and 0 deletions
25
security/ssh/files/patch-ax
Normal file
25
security/ssh/files/patch-ax
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
--- rsaglue.c.orig Tue Nov 9 11:12:32 1999
|
||||
+++ rsaglue.c Tue Nov 9 11:17:58 1999
|
||||
@@ -139,6 +139,10 @@
|
||||
|
||||
input_bits = mpz_sizeinbase(input, 2);
|
||||
input_len = (input_bits + 7) / 8;
|
||||
+ if(input_bits > MAX_RSA_MODULUS_BITS)
|
||||
+ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
|
||||
+ input_bits, MAX_RSA_MODULUS_BITS);
|
||||
+
|
||||
gmp_to_rsaref(input_data, input_len, input);
|
||||
|
||||
rsaref_public_key(&public_key, key);
|
||||
@@ -172,6 +176,10 @@
|
||||
|
||||
input_bits = mpz_sizeinbase(input, 2);
|
||||
input_len = (input_bits + 7) / 8;
|
||||
+ if(input_bits > MAX_RSA_MODULUS_BITS)
|
||||
+ fatal("Received session key too long (%d bits, %d max) (malicious?).",
|
||||
+ input_bits, MAX_RSA_MODULUS_BITS);
|
||||
+
|
||||
gmp_to_rsaref(input_data, input_len, input);
|
||||
|
||||
rsaref_private_key(&private_key, key);
|
||||
|
||||
Loading…
Reference in a new issue