|
 |
2c25aa |
From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
|
|
|
2c25aa |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
2c25aa |
Date: Tue, 19 Mar 2019 13:45:22 +0100
|
|
|
2c25aa |
Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
|
|
|
2c25aa |
|
|
|
2c25aa |
... with specially crafted message channel request
|
|
|
2c25aa |
|
|
|
2c25aa |
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
|
|
|
2c25aa |
---
|
|
|
2c25aa |
src/packet.c | 14 ++++++++------
|
|
|
2c25aa |
1 file changed, 8 insertions(+), 6 deletions(-)
|
|
|
2c25aa |
|
|
|
2c25aa |
diff --git a/src/packet.c b/src/packet.c
|
|
|
2c25aa |
index aa10633..c950b5d 100644
|
|
|
2c25aa |
--- a/src/packet.c
|
|
|
2c25aa |
+++ b/src/packet.c
|
|
|
2c25aa |
@@ -774,8 +774,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
2c25aa |
uint32_t len = _libssh2_ntohu32(data + 5);
|
|
|
2c25aa |
unsigned char want_reply = 1;
|
|
|
2c25aa |
|
|
|
2c25aa |
- if(len < (datalen - 10))
|
|
|
2c25aa |
- want_reply = data[9 + len];
|
|
|
2c25aa |
+ if((len + 9) < datalen)
|
|
|
2c25aa |
+ want_reply = data[len + 9];
|
|
|
2c25aa |
|
|
|
2c25aa |
_libssh2_debug(session,
|
|
|
2c25aa |
LIBSSH2_TRACE_CONN,
|
|
|
2c25aa |
@@ -783,6 +783,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
2c25aa |
channel, len, data + 9, want_reply);
|
|
|
2c25aa |
|
|
|
2c25aa |
if (len == sizeof("exit-status") - 1
|
|
|
2c25aa |
+ && (sizeof("exit-status") - 1 + 9) <= datalen
|
|
|
2c25aa |
&& !memcmp("exit-status", data + 9,
|
|
|
2c25aa |
sizeof("exit-status") - 1)) {
|
|
|
2c25aa |
|
|
|
2c25aa |
@@ -791,7 +792,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
2c25aa |
channelp =
|
|
|
2c25aa |
_libssh2_channel_locate(session, channel);
|
|
|
2c25aa |
|
|
|
2c25aa |
- if (channelp) {
|
|
|
2c25aa |
+ if (channelp && (sizeof("exit-status") + 13) <= datalen) {
|
|
|
2c25aa |
channelp->exit_status =
|
|
|
2c25aa |
_libssh2_ntohu32(data + 9 + sizeof("exit-status"));
|
|
|
2c25aa |
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
|
|
|
2c25aa |
@@ -804,13 +805,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
2c25aa |
|
|
|
2c25aa |
}
|
|
|
2c25aa |
else if (len == sizeof("exit-signal") - 1
|
|
|
2c25aa |
+ && (sizeof("exit-signal") - 1 + 9) <= datalen
|
|
|
2c25aa |
&& !memcmp("exit-signal", data + 9,
|
|
|
2c25aa |
sizeof("exit-signal") - 1)) {
|
|
|
2c25aa |
/* command terminated due to signal */
|
|
|
2c25aa |
if(datalen >= 20)
|
|
|
2c25aa |
channelp = _libssh2_channel_locate(session, channel);
|
|
|
2c25aa |
|
|
|
2c25aa |
- if (channelp) {
|
|
|
2c25aa |
+ if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
|
|
|
2c25aa |
/* set signal name (without SIG prefix) */
|
|
|
2c25aa |
uint32_t namelen =
|
|
|
2c25aa |
_libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
|
|
|
2c25aa |
@@ -826,9 +828,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
|
|
2c25aa |
if (!channelp->exit_signal)
|
|
|
2c25aa |
rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
|
|
|
2c25aa |
"memory for signal name");
|
|
|
2c25aa |
- else {
|
|
|
2c25aa |
+ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
|
|
|
2c25aa |
memcpy(channelp->exit_signal,
|
|
|
2c25aa |
- data + 13 + sizeof("exit_signal"), namelen);
|
|
|
2c25aa |
+ data + 13 + sizeof("exit-signal"), namelen);
|
|
|
2c25aa |
channelp->exit_signal[namelen] = '\0';
|
|
|
2c25aa |
/* TODO: save error message and language tag */
|
|
|
2c25aa |
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
|
|
|
2c25aa |
--
|
|
|
2c25aa |
2.17.2
|
|
|
2c25aa |
|