# HG changeset patch # Parent 9888bc3f536eab9f528d9c96e5e8a2501ed168f5 Limit accepted passwords length to prevent DoS by resource consumption (via crypt() eating CPU cycles). CVE-2016-6515 bsc#992533 upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97 diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c --- a/openssh-7.2p2/auth-passwd.c +++ b/openssh-7.2p2/auth-passwd.c @@ -61,16 +61,18 @@ extern ServerOptions options; #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; #endif #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ +#define MAX_PASSWORD_LEN 1024 + void disable_forwarding(void) { no_port_forwarding_flag = 1; no_agent_forwarding_flag = 1; no_x11_forwarding_flag = 1; } @@ -82,16 +84,19 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int result, ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif + if (strlen(password) > MAX_PASSWORD_LEN) + return 0; + #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #ifdef KRB5