proftpd/proftpd-sftp-kbdint-max-responses-bug3973.patch

Index: contrib/mod_sftp_pam.c
===================================================================
--- contrib/mod_sftp_pam.c.orig
+++ contrib/mod_sftp_pam.c
@@ -197,22 +197,13 @@ static int sftppam_converse(int nmsgs, P
     return PAM_CONV_ERR;
   }
 
-  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
-      &recvd_responses) < 0) {
+  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
+      &recvd_count, &recvd_responses) < 0) {
     pr_trace_msg(trace_channel, 3,
       "error receiving keyboard-interactive responses: %s", strerror(errno));
     return PAM_CONV_ERR;
   }
 
-  /* Make sure that the count of responses matches the challenge count. */
-  if (recvd_count != list->nelts) {
-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
-      "sent %d %s, but received %u %s", nmsgs,
-      list->nelts != 1 ? "challenges" : "challenge", recvd_count,
-      recvd_count != 1 ? "responses" : "response");
-    return PAM_CONV_ERR;
-  }
-
   res = calloc(nmsgs, sizeof(struct pam_response));
   if (res == NULL) {
     pr_log_pri(PR_LOG_CRIT, "Out of memory!");
Index: contrib/mod_sftp/kbdint.c
===================================================================
--- contrib/mod_sftp/kbdint.c.orig
+++ contrib/mod_sftp/kbdint.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
- * Copyright (c) 2008-2009 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -31,6 +31,8 @@
 #include "utf8.h"
 #include "kbdint.h"
 
+#define SFTP_KBDINT_MAX_RESPONSES	500
+
 struct kbdint_driver {
   struct kbdint_driver *next, *prev;
 
@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const cha
   return res;
 }
 
-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
-    const char ***responses) {
+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
+    unsigned int *rcvd_count, const char ***responses) {
   register unsigned int i;
   char *buf;
   cmd_rec *cmd;
@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, u
   int res;
 
   if (p == NULL ||
-      count == NULL ||
+      rcvd_count == NULL ||
       responses == NULL) {
     errno = EINVAL;
     return -1;
@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, u
 
   resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
 
+  /* Ensure that the number of responses sent by the client is the same
+   * as the number of challenges sent, lest a malicious client attempt to
+   * trick us into allocating too much memory (Bug#3973).
+   */
+  if (resp_count != expected_count) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
+      expected_count != 1 ? "challenges" : "challenge",
+      (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
+  if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "received too many responses (%lu > max %lu), rejecting",
+      (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
   list = make_array(p, resp_count, sizeof(char *));
   for (i = 0; i < resp_count; i++) {
     char *resp;
@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, u
     *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
   }
 
-  *count = (unsigned int) resp_count;
+  *rcvd_count = (unsigned int) resp_count;
   *responses = ((const char **) list->elts);
   return 0;
 }
Index: contrib/mod_sftp/mod_sftp.h.in
===================================================================
--- contrib/mod_sftp/mod_sftp.h.in.orig
+++ contrib/mod_sftp/mod_sftp.h.in
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp
- * Copyright (c) 2008-2011 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const ch
 int sftp_kbdint_unregister_driver(const char *name);
 int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
   sftp_kbdint_challenge_t *);
-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
+int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
+  const char ***);
 
 /* API for modules that which to register keystores, for the
  * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
Accepting request 202094 from home:computersalat:devel:network update to 1.3.4d, fix for bnc#843444 (CVE-2013-4359) OBS-URL: https://build.opensuse.org/request/show/202094 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=24 2013-10-03 23:04:00 +02:00			`Index: contrib/mod_sftp_pam.c`
			`===================================================================`
			`--- contrib/mod_sftp_pam.c.orig`
			`+++ contrib/mod_sftp_pam.c`
			`@@ -197,22 +197,13 @@ static int sftppam_converse(int nmsgs, P`
			`return PAM_CONV_ERR;`
			`}`

			`- if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,`
			`- &recvd_responses) < 0) {`
			`+ if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,`
			`+ &recvd_count, &recvd_responses) < 0) {`
			`pr_trace_msg(trace_channel, 3,`
			`"error receiving keyboard-interactive responses: %s", strerror(errno));`
			`return PAM_CONV_ERR;`
			`}`

			`- /* Make sure that the count of responses matches the challenge count. */`
			`- if (recvd_count != list->nelts) {`
			`- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,`
			`- "sent %d %s, but received %u %s", nmsgs,`
			`- list->nelts != 1 ? "challenges" : "challenge", recvd_count,`
			`- recvd_count != 1 ? "responses" : "response");`
			`- return PAM_CONV_ERR;`
			`- }`
			`-`
			`res = calloc(nmsgs, sizeof(struct pam_response));`
			`if (res == NULL) {`
			`pr_log_pri(PR_LOG_CRIT, "Out of memory!");`
			`Index: contrib/mod_sftp/kbdint.c`
			`===================================================================`
			`--- contrib/mod_sftp/kbdint.c.orig`
			`+++ contrib/mod_sftp/kbdint.c`
			`@@ -1,6 +1,6 @@`
			`/*`
			`* ProFTPD - mod_sftp keyboard-interactive driver mgmt`
			`- * Copyright (c) 2008-2009 TJ Saunders`
			`+ * Copyright (c) 2008-2013 TJ Saunders`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`@@ -31,6 +31,8 @@`
			`#include "utf8.h"`
			`#include "kbdint.h"`

			`+#define SFTP_KBDINT_MAX_RESPONSES 500`
			`+`
			`struct kbdint_driver {`
			`struct kbdint_driver next, prev;`

			`@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const cha`
			`return res;`
			`}`

			`-int sftp_kbdint_recv_response(pool p, unsigned int count,`
			`- const char ***responses) {`
			`+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,`
			`+ unsigned int rcvd_count, const char **responses) {`
			`register unsigned int i;`
			`char *buf;`
			`cmd_rec *cmd;`
			`@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, u`
			`int res;`

			`if (p == NULL \|\|`
			`- count == NULL \|\|`
			`+ rcvd_count == NULL \|\|`
			`responses == NULL) {`
			`errno = EINVAL;`
			`return -1;`
			`@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, u`

			`resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);`

			`+ /* Ensure that the number of responses sent by the client is the same`
			`+ * as the number of challenges sent, lest a malicious client attempt to`
			`+ * trick us into allocating too much memory (Bug#3973).`
			`+ */`
			`+ if (resp_count != expected_count) {`
			`+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,`
			`+ "sent %lu %s, but received %lu %s", (unsigned long) expected_count,`
			`+ expected_count != 1 ? "challenges" : "challenge",`
			`+ (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");`
			`+ destroy_pool(pkt->pool);`
			`+ errno = EPERM;`
			`+ return -1;`
			`+ }`
			`+`
			`+ if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {`
			`+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,`
			`+ "received too many responses (%lu > max %lu), rejecting",`
			`+ (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);`
			`+ destroy_pool(pkt->pool);`
			`+ errno = EPERM;`
			`+ return -1;`
			`+ }`
			`+`
			`list = make_array(p, resp_count, sizeof(char *));`
			`for (i = 0; i < resp_count; i++) {`
			`char *resp;`
			`@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, u`
			`((char *) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));`
			`}`

			`- *count = (unsigned int) resp_count;`
			`+ *rcvd_count = (unsigned int) resp_count;`
			`responses = ((const char *) list->elts);`
			`return 0;`
			`}`
			`Index: contrib/mod_sftp/mod_sftp.h.in`
			`===================================================================`
			`--- contrib/mod_sftp/mod_sftp.h.in.orig`
			`+++ contrib/mod_sftp/mod_sftp.h.in`
			`@@ -1,6 +1,6 @@`
			`/*`
			`* ProFTPD - mod_sftp`
			`- * Copyright (c) 2008-2011 TJ Saunders`
			`+ * Copyright (c) 2008-2013 TJ Saunders`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const ch`
			`int sftp_kbdint_unregister_driver(const char *name);`
			`int sftp_kbdint_send_challenge(const char , const char , unsigned int,`
			`sftp_kbdint_challenge_t *);`
			`-int sftp_kbdint_recv_response(pool , unsigned int , const char ***);`
			`+int sftp_kbdint_recv_response(pool , unsigned int, unsigned int ,`
			`+ const char ***);`

			`/* API for modules that which to register keystores, for the`
			`* SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.`