Blob Blame History Raw
From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 19 Mar 2019 13:47:41 +0100
Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
 authenticate keyboard interactive

... that allows out-of-bounds writes

Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
---
 src/userauth.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/userauth.c b/src/userauth.c
index 3946cf9..ee924c5 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1578,8 +1578,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
 
             for(i = 0; i != session->userauth_kybd_num_prompts; ++i) {
                 /* string    response[1] (ISO-10646 UTF-8) */
-                session->userauth_kybd_packet_len +=
-                    4 + session->userauth_kybd_responses[i].length;
+                 if(session->userauth_kybd_responses[i].length <=
+                   (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
+                    session->userauth_kybd_packet_len +=
+                        4 + session->userauth_kybd_responses[i].length;
+                }
+                else {
+                    _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                                   "Unable to allocate memory for keyboard-"
+                                   "interactive response packet");
+                    goto cleanup;
+                }
             }
 
             /* A new userauth_kybd_data area is to be allocated, free the
-- 
2.17.2