From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Tue, 19 Mar 2019 13:22:24 +0100

Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard

 interactive handling

... resulting in out of bounds write

Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

I believe that:

    `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`

... can be simplified as:

    `(session->userauth_kybd_num_prompts > 100)`

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 src/userauth.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/src/userauth.c b/src/userauth.c

index cdfa25e..3946cf9 100644

--- a/src/userauth.c

+++ b/src/userauth.c

@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,

             /* int       num-prompts */

             session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);

             s += 4;

+            if(session->userauth_kybd_num_prompts && 

+               session->userauth_kybd_num_prompts > 100) {

+               _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,

+                              "Too many replies for "

+                              "keyboard-interactive prompts");

+               goto cleanup;

+            }

             if(session->userauth_kybd_num_prompts) {

                 session->userauth_kybd_prompts =

-- 

2.17.2