Details
Major Description
According to RFC4256 - section 3.2
The server SHOULD take into consideration that some clients may not
be able to properly display a long name or prompt field (see next
section), and limit the lengths of those fields if possible.
The current code in UserAuthKeyboardInteractive#processAuthDataRequest does not make sure that the number of challenges or the length of each challenge is reasonable (not to mention the other packet components). Therefore, a maliciously crafted packet can cause out-of-memory errors by requesting an extremely large number of responses or sending very large challenges.
It is important to notice that this problem is not limited to the keyboard-interactive protocol but to the entire packet encode/decode mechanism since it is a RLE (read-length encoding). Wherever possible we should add some reasonable but large enough limitations on the expected size of strings/arrays/etc.. being decoded from incoming SSH packets.