|
 |
eb5047 |
From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
|
|
|
eb5047 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
eb5047 |
Date: Tue, 19 Mar 2019 13:47:41 +0100
|
|
|
eb5047 |
Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
|
|
|
eb5047 |
authenticate keyboard interactive
|
|
|
eb5047 |
|
|
|
eb5047 |
... that allows out-of-bounds writes
|
|
|
eb5047 |
|
|
|
eb5047 |
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
|
|
|
eb5047 |
---
|
|
|
eb5047 |
src/userauth.c | 13 +++++++++++--
|
|
|
eb5047 |
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
eb5047 |
|
|
|
eb5047 |
diff --git a/src/userauth.c b/src/userauth.c
|
|
|
eb5047 |
index 3946cf9..ee924c5 100644
|
|
|
eb5047 |
--- a/src/userauth.c
|
|
|
eb5047 |
+++ b/src/userauth.c
|
|
|
eb5047 |
@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
|
|
|
eb5047 |
|
|
|
eb5047 |
for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
|
|
|
eb5047 |
/* string response[1] (ISO-10646 UTF-8) */
|
|
|
eb5047 |
- session->userauth_kybd_packet_len +=
|
|
|
eb5047 |
- 4 + session->userauth_kybd_responses[i].length;
|
|
|
eb5047 |
+ if(session->userauth_kybd_responses[i].length <=
|
|
|
eb5047 |
+ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
|
|
|
eb5047 |
+ session->userauth_kybd_packet_len +=
|
|
|
eb5047 |
+ 4 + session->userauth_kybd_responses[i].length;
|
|
|
eb5047 |
+ }
|
|
|
eb5047 |
+ else {
|
|
|
eb5047 |
+ _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
|
|
|
eb5047 |
+ "Unable to allocate memory for keyboard-"
|
|
|
eb5047 |
+ "interactive response packet");
|
|
|
eb5047 |
+ goto cleanup;
|
|
|
eb5047 |
+ }
|
|
|
eb5047 |
}
|
|
|
eb5047 |
|
|
|
eb5047 |
/* A new userauth_kybd_data area is to be allocated, free the
|
|
|
eb5047 |
--
|
|
|
eb5047 |
2.17.2
|
|
|
eb5047 |
|