Don't overflow rsa bits. As seen on bugtraq and elsewhere.

Submitted by: drow@false.org Reviewed by: ache PR: 14749
author: Warner Losh <imp@FreeBSD.org> 1999-11-16 07:21:36 +0000
committer: Warner Losh <imp@FreeBSD.org> 1999-11-16 07:21:36 +0000
commit: 272f7058db9270869ca62b912a1cd26c8700dc5b (patch)
tree: 89c9f720807a1a637fe23cdca2703869e9845841
parent: Update to 0.9.50 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/security/ssh/files/patch-ax b/security/ssh/files/patch-ax
new file mode 100644
index 000000000000..c4a114fc306e
--- /dev/null
+++ b/security/ssh/files/patch-ax
@@ -0,0 +1,25 @@
+--- rsaglue.c.orig	Tue Nov  9 11:12:32 1999
++++ rsaglue.c	Tue Nov  9 11:17:58 1999
+@@ -139,6 +139,10 @@
+
+   input_bits = mpz_sizeinbase(input, 2);
+   input_len = (input_bits + 7) / 8;
++  if(input_bits > MAX_RSA_MODULUS_BITS)
++    fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
++    	input_bits, MAX_RSA_MODULUS_BITS);
++
+   gmp_to_rsaref(input_data, input_len, input);
+
+   rsaref_public_key(&public_key, key);
+@@ -172,6 +176,10 @@
+
+   input_bits = mpz_sizeinbase(input, 2);
+   input_len = (input_bits + 7) / 8;
++  if(input_bits > MAX_RSA_MODULUS_BITS)
++    fatal("Received session key too long (%d bits, %d max) (malicious?).",
++    	input_bits, MAX_RSA_MODULUS_BITS);
++
+   gmp_to_rsaref(input_data, input_len, input);
+
+   rsaref_private_key(&private_key, key);
+
author	Warner Losh <imp@FreeBSD.org>	1999-11-16 07:21:36 +0000
committer	Warner Losh <imp@FreeBSD.org>	1999-11-16 07:21:36 +0000
commit	272f7058db9270869ca62b912a1cd26c8700dc5b (patch)
tree	89c9f720807a1a637fe23cdca2703869e9845841
parent	Update to 0.9.50 (diff)