--- a/svr-authpasswd.c	Wed Mar 20 23:47:25 2019 +0800
+++ b/svr-authpasswd.c	Thu Mar 21 00:09:07 2019 +0800
@@ -65,7 +65,7 @@
 	}
 
 	password = buf_getstring(ses.payload, &passwordlen);
-	if (valid_user) {
+	if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) {
 		/* the first bytes of passwdcrypt are the salt */
 		passwdcrypt = ses.authstate.pw_passwd;
 		testcrypt = crypt(password, passwdcrypt);
@@ -80,6 +80,15 @@
 		return;
 	}
 
+	if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) {
+		dropbear_log(LOG_WARNING,
+				"Too-long password attempt for '%s' from %s",
+				ses.authstate.pw_name,
+				svr_ses.addrstring);
+		send_msg_userauth_failure(0, 1);
+		return;
+	}
+
 	if (testcrypt == NULL) {
 		/* crypt() with an invalid salt like "!!" */
 		dropbear_log(LOG_WARNING, "User account '%s' is locked",