Blame SOURCES/0004-libssh2-1.8.0-CVE-2019-3858.patch
|
 |
eb5047 |
From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001
|
|
|
eb5047 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
eb5047 |
Date: Tue, 19 Mar 2019 13:32:05 +0100
|
|
|
eb5047 |
Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation
|
|
|
eb5047 |
|
|
|
eb5047 |
... with a specially crafted SFTP packet leading to an out-of-bounds read
|
|
|
eb5047 |
|
|
|
eb5047 |
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
|
|
|
eb5047 |
---
|
|
|
eb5047 |
src/sftp.c | 4 ++++
|
|
|
eb5047 |
1 file changed, 4 insertions(+)
|
|
|
eb5047 |
|
|
|
eb5047 |
diff --git a/src/sftp.c b/src/sftp.c
|
|
|
eb5047 |
index 7c44116..65cef85 100644
|
|
|
eb5047 |
--- a/src/sftp.c
|
|
|
eb5047 |
+++ b/src/sftp.c
|
|
|
eb5047 |
@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp)
|
|
|
eb5047 |
return _libssh2_error(session,
|
|
|
eb5047 |
LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED,
|
|
|
eb5047 |
"SFTP packet too large");
|
|
|
eb5047 |
+ if (sftp->partial_len == 0)
|
|
|
eb5047 |
+ return _libssh2_error(session,
|
|
|
eb5047 |
+ LIBSSH2_ERROR_ALLOC,
|
|
|
eb5047 |
+ "Unable to allocate empty SFTP packet");
|
|
|
eb5047 |
|
|
|
eb5047 |
_libssh2_debug(session, LIBSSH2_TRACE_SFTP,
|
|
|
eb5047 |
"Data begin - Packet Length: %lu",
|
|
|
eb5047 |
--
|
|
|
eb5047 |
2.17.2
|
|
|
eb5047 |
|