Bugzilla – Bug 3973
mod_sftp can be forced to allocate too much memory for keyboard-interactive authentication
Last modified: 2014-01-28 18:50:32 UTC
When mod_sftp is configured to support/use keyboard-interactive authentication, via the mod_sftp_pam module, then it is possible for a client to force mod_sftp to allocate too much memory, and crash the process. See: http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invali d-pool-allocation-in-kbdint-authentication/
Better URL (copy-paste broke the last one): http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/
Created attachment 4072 [details] Fixes bug This patch addresses the issue by imposing an upper bound on the response count sent by the client; the upper bound is defined to be 500.
Created attachment 4075 [details] Better patch This patch is better, as it ensures both that a) the received response count matches the number of challenges sent, and b) that the received response count is not too high (as an additional sanity check); the upper bound is still set to 500.
Patch committed to CVS, and backported to 1.3.4 branch.
For future reference, this issue has been assigned as CVE-2013-4359.
Resolved in 1.3.5rc4.