File openssh-7.2p2-limit_password_length.patch of Package openssh

# HG changeset patch
# Parent  e351203d2784230a3b56b8e3dd6955403ed10ca4
Limit accepted passwords length to prevent DoS by resource consumption
(via crypt() eating CPU cycles).

CVE-2016-6515
bsc#992533

upstream commit: fcd135c9df440bcd2d5870405ad3311743d78d97

diff --git a/openssh-7.2p2/auth-passwd.c b/openssh-7.2p2/auth-passwd.c
--- a/openssh-7.2p2/auth-passwd.c
+++ b/openssh-7.2p2/auth-passwd.c
@@ -61,16 +61,18 @@ extern ServerOptions options;
 #ifdef HAVE_LOGIN_CAP
 extern login_cap_t *lc;
 #endif
 
 
 #define DAY		(24L * 60 * 60) /* 1 day in seconds */
 #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
 
+#define MAX_PASSWORD_LEN	1024
+
 void
 disable_forwarding(void)
 {
 	no_port_forwarding_flag = 1;
 	no_agent_forwarding_flag = 1;
 	no_x11_forwarding_flag = 1;
 }
 
@@ -82,16 +84,19 @@ int
 auth_password(Authctxt *authctxt, const char *password)
 {
 	struct passwd * pw = authctxt->pw;
 	int result, ok = authctxt->valid;
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 	static int expire_checked = 0;
 #endif
 
+	if (strlen(password) > MAX_PASSWORD_LEN)
+		return 0;
+
 #ifndef HAVE_CYGWIN
 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 		ok = 0;
 #endif
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 
 #ifdef KRB5