From 8b4f60a7a113f4e9ae801dea88606f2663728f03 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Thu, 21 Mar 2019 00:09:07 +0800
Subject: limit password length to 100

---
 svr-authpasswd.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'svr-authpasswd.c')

diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index 69c7d8a..a4f3202 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -65,7 +65,7 @@ void svr_auth_password(int valid_user) {
 	}
 
 	password = buf_getstring(ses.payload, &passwordlen);
-	if (valid_user) {
+	if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) {
 		/* the first bytes of passwdcrypt are the salt */
 		passwdcrypt = ses.authstate.pw_passwd;
 		testcrypt = crypt(password, passwdcrypt);
@@ -80,6 +80,15 @@ void svr_auth_password(int valid_user) {
 		return;
 	}
 
+	if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) {
+		dropbear_log(LOG_WARNING,
+				"Too-long password attempt for '%s' from %s",
+				ses.authstate.pw_name,
+				svr_ses.addrstring);
+		send_msg_userauth_failure(0, 1);
+		return;
+	}
+
 	if (testcrypt == NULL) {
 		/* crypt() with an invalid salt like "!!" */
 		dropbear_log(LOG_WARNING, "User account '%s' is locked",
-- 
cgit v1.2.3