|
 |
eb5047 |
From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
|
|
|
eb5047 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
eb5047 |
Date: Tue, 19 Mar 2019 13:22:24 +0100
|
|
|
eb5047 |
Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
|
|
|
eb5047 |
interactive handling
|
|
|
eb5047 |
|
|
|
eb5047 |
... resulting in out of bounds write
|
|
|
eb5047 |
|
|
|
eb5047 |
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
|
|
|
eb5047 |
|
|
|
eb5047 |
I believe that:
|
|
|
eb5047 |
|
|
|
eb5047 |
`(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
|
|
|
eb5047 |
|
|
|
eb5047 |
... can be simplified as:
|
|
|
eb5047 |
|
|
|
eb5047 |
`(session->userauth_kybd_num_prompts > 100)`
|
|
|
eb5047 |
|
|
|
eb5047 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
eb5047 |
---
|
|
|
eb5047 |
src/userauth.c | 7 +++++++
|
|
|
eb5047 |
1 file changed, 7 insertions(+)
|
|
|
eb5047 |
|
|
|
eb5047 |
diff --git a/src/userauth.c b/src/userauth.c
|
|
|
eb5047 |
index cdfa25e..3946cf9 100644
|
|
|
eb5047 |
--- a/src/userauth.c
|
|
|
eb5047 |
+++ b/src/userauth.c
|
|
|
eb5047 |
@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
|
|
|
eb5047 |
/* int num-prompts */
|
|
|
eb5047 |
session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
|
|
|
eb5047 |
s += 4;
|
|
|
eb5047 |
+ if(session->userauth_kybd_num_prompts &&
|
|
|
eb5047 |
+ session->userauth_kybd_num_prompts > 100) {
|
|
|
eb5047 |
+ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
|
|
|
eb5047 |
+ "Too many replies for "
|
|
|
eb5047 |
+ "keyboard-interactive prompts");
|
|
|
eb5047 |
+ goto cleanup;
|
|
|
eb5047 |
+ }
|
|
|
eb5047 |
|
|
|
eb5047 |
if(session->userauth_kybd_num_prompts) {
|
|
|
eb5047 |
session->userauth_kybd_prompts =
|
|
|
eb5047 |
--
|
|
|
eb5047 |
2.17.2
|
|
|
eb5047 |
|