|
|
4e9174 |
From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001
|
|
|
4e9174 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
4e9174 |
Date: Tue, 19 Mar 2019 13:29:35 +0100
|
|
|
4e9174 |
Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH
|
|
|
4e9174 |
packet processing channel
|
|
|
4e9174 |
|
|
|
4e9174 |
... resulting in out of bounds write
|
|
|
4e9174 |
|
|
|
4e9174 |
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
|
|
|
4e9174 |
---
|
|
|
4e9174 |
include/libssh2.h | 12 ++++++++++++
|
|
|
4e9174 |
src/packet.c | 11 +++++++++--
|
|
|
4e9174 |
2 files changed, 21 insertions(+), 2 deletions(-)
|
|
|
4e9174 |
|
|
|
4e9174 |
diff --git a/include/libssh2.h b/include/libssh2.h
|
|
|
4e9174 |
index 34d2842..e25c380 100644
|
|
|
4e9174 |
--- a/include/libssh2.h
|
|
|
4e9174 |
+++ b/include/libssh2.h
|
|
|
d780b0 |
@@ -145,6 +145,18 @@ typedef int libssh2_socket_t;
|
|
|
d780b0 |
#define LIBSSH2_INVALID_SOCKET -1
|
|
|
d780b0 |
#endif /* WIN32 */
|
|
|
4e9174 |
|
|
|
4e9174 |
+#ifndef SIZE_MAX
|
|
|
4e9174 |
+#if _WIN64
|
|
|
4e9174 |
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
|
|
|
4e9174 |
+#else
|
|
|
4e9174 |
+#define SIZE_MAX 0xFFFFFFFF
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+
|
|
|
4e9174 |
+#ifndef UINT_MAX
|
|
|
4e9174 |
+#define UINT_MAX 0xFFFFFFFF
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+
|
|
|
4e9174 |
/*
|
|
|
d780b0 |
* Determine whether there is small or large file support on windows.
|
|
|
d780b0 |
*/
|
|
|
4e9174 |
diff --git a/src/packet.c b/src/packet.c
|
|
|
4e9174 |
index 5f1feb8..aa10633 100644
|
|
|
4e9174 |
--- a/src/packet.c
|
|
|
4e9174 |
+++ b/src/packet.c
|
|
|
d780b0 |
@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
4e9174 |
/* set signal name (without SIG prefix) */
|
|
|
4e9174 |
uint32_t namelen =
|
|
|
4e9174 |
_libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
|
|
|
4e9174 |
- channelp->exit_signal =
|
|
|
4e9174 |
- LIBSSH2_ALLOC(session, namelen + 1);
|
|
|
4e9174 |
+
|
|
|
4e9174 |
+ if(namelen <= UINT_MAX - 1) {
|
|
|
4e9174 |
+ channelp->exit_signal =
|
|
|
4e9174 |
+ LIBSSH2_ALLOC(session, namelen + 1);
|
|
|
4e9174 |
+ }
|
|
|
4e9174 |
+ else {
|
|
|
4e9174 |
+ channelp->exit_signal = NULL;
|
|
|
4e9174 |
+ }
|
|
|
4e9174 |
+
|
|
|
4e9174 |
if (!channelp->exit_signal)
|
|
|
4e9174 |
rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
|
|
|
4e9174 |
"memory for signal name");
|
|
|
4e9174 |
--
|
|
|
4e9174 |
2.17.2
|
|
|
4e9174 |
|
|
|
4e9174 |
|
|
|
4e9174 |
From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001
|
|
|
4e9174 |
From: Michael Buckley <michael@buckleyisms.com>
|
|
|
4e9174 |
Date: Mon, 18 Mar 2019 15:07:12 -0700
|
|
|
4e9174 |
Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h
|
|
|
4e9174 |
|
|
|
4e9174 |
Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207
|
|
|
4e9174 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
4e9174 |
---
|
|
|
4e9174 |
include/libssh2.h | 12 ------------
|
|
|
4e9174 |
src/libssh2_priv.h | 12 ++++++++++++
|
|
|
4e9174 |
2 files changed, 12 insertions(+), 12 deletions(-)
|
|
|
4e9174 |
|
|
|
4e9174 |
diff --git a/include/libssh2.h b/include/libssh2.h
|
|
|
4e9174 |
index e25c380..34d2842 100644
|
|
|
4e9174 |
--- a/include/libssh2.h
|
|
|
4e9174 |
+++ b/include/libssh2.h
|
|
|
d780b0 |
@@ -145,18 +145,6 @@ typedef int libssh2_socket_t;
|
|
|
d780b0 |
#define LIBSSH2_INVALID_SOCKET -1
|
|
|
d780b0 |
#endif /* WIN32 */
|
|
|
4e9174 |
|
|
|
4e9174 |
-#ifndef SIZE_MAX
|
|
|
4e9174 |
-#if _WIN64
|
|
|
4e9174 |
-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
|
|
|
4e9174 |
-#else
|
|
|
4e9174 |
-#define SIZE_MAX 0xFFFFFFFF
|
|
|
4e9174 |
-#endif
|
|
|
4e9174 |
-#endif
|
|
|
4e9174 |
-
|
|
|
4e9174 |
-#ifndef UINT_MAX
|
|
|
4e9174 |
-#define UINT_MAX 0xFFFFFFFF
|
|
|
4e9174 |
-#endif
|
|
|
4e9174 |
-
|
|
|
4e9174 |
/*
|
|
|
d780b0 |
* Determine whether there is small or large file support on windows.
|
|
|
d780b0 |
*/
|
|
|
4e9174 |
diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
|
|
|
4e9174 |
index b4296a2..bb5d1a5 100644
|
|
|
4e9174 |
--- a/src/libssh2_priv.h
|
|
|
4e9174 |
+++ b/src/libssh2_priv.h
|
|
|
d780b0 |
@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
|
|
|
4e9174 |
|
|
|
4e9174 |
#endif
|
|
|
4e9174 |
|
|
|
4e9174 |
+#ifndef SIZE_MAX
|
|
|
4e9174 |
+#if _WIN64
|
|
|
4e9174 |
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
|
|
|
4e9174 |
+#else
|
|
|
4e9174 |
+#define SIZE_MAX 0xFFFFFFFF
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+
|
|
|
4e9174 |
+#ifndef UINT_MAX
|
|
|
4e9174 |
+#define UINT_MAX 0xFFFFFFFF
|
|
|
4e9174 |
+#endif
|
|
|
4e9174 |
+
|
|
|
4e9174 |
/* RFC4253 section 6.1 Maximum Packet Length says:
|
|
|
4e9174 |
*
|
|
|
4e9174 |
* "All implementations MUST be able to process packets with
|
|
|
4e9174 |
--
|
|
|
4e9174 |
2.17.2
|
|
|
4e9174 |
|