From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Tue, 19 Mar 2019 13:29:35 +0100

Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH

 packet processing channel

... resulting in out of bounds write

Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

---

 include/libssh2.h | 12 ++++++++++++

 src/packet.c      | 11 +++++++++--

 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/include/libssh2.h b/include/libssh2.h

index 34d2842..e25c380 100644

--- a/include/libssh2.h

+++ b/include/libssh2.h

@@ -71,6 +71,18 @@

 */

 #define LIBSSH2_VERSION_NUM 0x010403

+#ifndef SIZE_MAX

+#if _WIN64

+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF

+#else

+#define SIZE_MAX 0xFFFFFFFF

+#endif

+#endif

+

+#ifndef UINT_MAX

+#define UINT_MAX 0xFFFFFFFF

+#endif

+

 /*

  * This is the date and time when the full source package was created. The

  * timestamp is not stored in the source code repo, as the timestamp is

diff --git a/src/packet.c b/src/packet.c

index 5f1feb8..aa10633 100644

--- a/src/packet.c

+++ b/src/packet.c

@@ -814,8 +814,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,

                         /* set signal name (without SIG prefix) */

                         uint32_t namelen =

                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));

-                        channelp->exit_signal =

-                            LIBSSH2_ALLOC(session, namelen + 1);

+

+                        if(namelen <= UINT_MAX - 1) {

+                            channelp->exit_signal =

+                                LIBSSH2_ALLOC(session, namelen + 1);

+                        }

+                        else {

+                            channelp->exit_signal = NULL;

+                        }

+

                         if (!channelp->exit_signal)

                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,

                                                 "memory for signal name");

-- 

2.17.2

From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001

From: Michael Buckley <michael@buckleyisms.com>

Date: Mon, 18 Mar 2019 15:07:12 -0700

Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h

Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 include/libssh2.h  | 12 ------------

 src/libssh2_priv.h | 12 ++++++++++++

 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/libssh2.h b/include/libssh2.h

index e25c380..34d2842 100644

--- a/include/libssh2.h

+++ b/include/libssh2.h

@@ -71,18 +71,6 @@

 */

 #define LIBSSH2_VERSION_NUM 0x010403

-#ifndef SIZE_MAX

-#if _WIN64

-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF

-#else

-#define SIZE_MAX 0xFFFFFFFF

-#endif

-#endif

-

-#ifndef UINT_MAX

-#define UINT_MAX 0xFFFFFFFF

-#endif

-

 /*

  * This is the date and time when the full source package was created. The

  * timestamp is not stored in the source code repo, as the timestamp is

diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h

index b4296a2..bb5d1a5 100644

--- a/src/libssh2_priv.h

+++ b/src/libssh2_priv.h

@@ -144,6 +144,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)

 #endif

+#ifndef SIZE_MAX

+#if _WIN64

+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF

+#else

+#define SIZE_MAX 0xFFFFFFFF

+#endif

+#endif

+

+#ifndef UINT_MAX

+#define UINT_MAX 0xFFFFFFFF

+#endif

+

 /* RFC4253 section 6.1 Maximum Packet Length says:

  *

  * "All implementations MUST be able to process packets with

-- 

2.17.2