Blame SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch

4e9174
From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
4e9174
From: Kamil Dudka <kdudka@redhat.com>
4e9174
Date: Tue, 19 Mar 2019 13:22:24 +0100
4e9174
Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
4e9174
 interactive handling
4e9174
4e9174
... resulting in out of bounds write
4e9174
4e9174
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
4e9174
4e9174
I believe that:
4e9174
4e9174
    `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
4e9174
4e9174
... can be simplified as:
4e9174
4e9174
    `(session->userauth_kybd_num_prompts > 100)`
4e9174
4e9174
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
4e9174
---
4e9174
 src/userauth.c | 7 +++++++
4e9174
 1 file changed, 7 insertions(+)
4e9174
4e9174
diff --git a/src/userauth.c b/src/userauth.c
4e9174
index cdfa25e..3946cf9 100644
4e9174
--- a/src/userauth.c
4e9174
+++ b/src/userauth.c
d780b0
@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
4e9174
             /* int       num-prompts */
4e9174
             session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
4e9174
             s += 4;
4e9174
+            if(session->userauth_kybd_num_prompts && 
4e9174
+               session->userauth_kybd_num_prompts > 100) {
4e9174
+               _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
4e9174
+                              "Too many replies for "
4e9174
+                              "keyboard-interactive prompts");
4e9174
+               goto cleanup;
4e9174
+            }
4e9174
 
4e9174
             if(session->userauth_kybd_num_prompts) {
4e9174
                 session->userauth_kybd_prompts =
4e9174
-- 
4e9174
2.17.2
4e9174