From 272f7058db9270869ca62b912a1cd26c8700dc5b Mon Sep 17 00:00:00 2001
From: Warner Losh <imp@FreeBSD.org>
Date: Tue, 16 Nov 1999 07:21:36 +0000
Subject: Don't overflow rsa bits.  As seen on bugtraq and elsewhere.

Submitted by: drow@false.org
Reviewed by: ache
PR: 14749
---
 security/ssh/files/patch-ax | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 security/ssh/files/patch-ax

diff --git a/security/ssh/files/patch-ax b/security/ssh/files/patch-ax
new file mode 100644
index 000000000000..c4a114fc306e
--- /dev/null
+++ b/security/ssh/files/patch-ax
@@ -0,0 +1,25 @@
+--- rsaglue.c.orig	Tue Nov  9 11:12:32 1999
++++ rsaglue.c	Tue Nov  9 11:17:58 1999
+@@ -139,6 +139,10 @@
+
+   input_bits = mpz_sizeinbase(input, 2);
+   input_len = (input_bits + 7) / 8;
++  if(input_bits > MAX_RSA_MODULUS_BITS)
++    fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
++    	input_bits, MAX_RSA_MODULUS_BITS);
++
+   gmp_to_rsaref(input_data, input_len, input);
+
+   rsaref_public_key(&public_key, key);
+@@ -172,6 +176,10 @@
+
+   input_bits = mpz_sizeinbase(input, 2);
+   input_len = (input_bits + 7) / 8;
++  if(input_bits > MAX_RSA_MODULUS_BITS)
++    fatal("Received session key too long (%d bits, %d max) (malicious?).",
++    	input_bits, MAX_RSA_MODULUS_BITS);
++
+   gmp_to_rsaref(input_data, input_len, input);
+
+   rsaref_private_key(&private_key, key);
+
-- 
cgit v1.2.3