[openssh-commits] [openssh] 03/08: upstream: Enforce a maximum size for usernames in agent key use

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 10f66b2af950c94af3b25027abec5209d90eb451
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sun May 31 04:31:04 2026 +0000

    upstream: Enforce a maximum size for usernames in agent key use
    
    constraints
    
    Along with the match_pattern() performance change that was just
    committed this avoids a denial-of-service where an agent client could
    waste CPU on an agent by sending user constraints with lots of
    wildcards.
    
    Reported by Huzaifa Sidhpurwala of Redhat
    
    ok markus
    
    OpenBSD-Commit-ID: 0483817f1a8accf4dbff42b7073ee4d119105d71
---
 ssh-agent.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ssh-agent.c b/ssh-agent.c
index 4a1781360..151b2b324 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.327 2026/05/27 03:28:07 tb Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.328 2026/05/31 04:31:04 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -101,6 +101,8 @@
 #define AGENT_MAX_DEST_CONSTRAINTS	1024
 /* Maximum number of associated certificate constraints to accept on a key */
 #define AGENT_MAX_EXT_CERTS		1024
+/* Max length of username constraint */
+#define AGENT_USER_CONSTRAINT_MAX_LEN	256
 
 /* XXX store hostkey_sid in a refcounted tree */
 
@@ -1078,13 +1080,13 @@ static int
 parse_dest_constraint_hop(struct sshbuf *b, struct dest_constraint_hop *dch)
 {
 	u_char key_is_ca;
-	size_t elen = 0;
+	size_t elen = 0, userlen = 0;
 	int r;
 	struct sshkey *k = NULL;
 	char *fp;
 
 	memset(dch, '\0', sizeof(*dch));
-	if ((r = sshbuf_get_cstring(b, &dch->user, NULL)) != 0 ||
+	if ((r = sshbuf_get_cstring(b, &dch->user, &userlen)) != 0 ||
 	    (r = sshbuf_get_cstring(b, &dch->hostname, NULL)) != 0 ||
 	    (r = sshbuf_get_string_direct(b, NULL, &elen)) != 0) {
 		error_fr(r, "parse");
@@ -1102,6 +1104,10 @@ parse_dest_constraint_hop(struct sshbuf *b, struct dest_constraint_hop *dch)
 	if (*dch->user == '\0') {
 		free(dch->user);
 		dch->user = NULL;
+	} else if (userlen > AGENT_USER_CONSTRAINT_MAX_LEN) {
+		error_f("user match pattern too long");
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
 	}
 	while (sshbuf_len(b) != 0) {
 		dch->keys = xrecallocarray(dch->keys, dch->nkeys,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.