From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 19 Mar 2019 13:29:35 +0100 Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH packet processing channel ... resulting in out of bounds write Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch --- include/libssh2.h | 12 ++++++++++++ src/packet.c | 11 +++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/include/libssh2.h b/include/libssh2.h index 34d2842..e25c380 100644 --- a/include/libssh2.h +++ b/include/libssh2.h @@ -145,6 +145,18 @@ typedef int libssh2_socket_t; #define LIBSSH2_INVALID_SOCKET -1 #endif /* WIN32 */ +#ifndef SIZE_MAX +#if _WIN64 +#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +#else +#define SIZE_MAX 0xFFFFFFFF +#endif +#endif + +#ifndef UINT_MAX +#define UINT_MAX 0xFFFFFFFF +#endif + /* * Determine whether there is small or large file support on windows. */ diff --git a/src/packet.c b/src/packet.c index 5f1feb8..aa10633 100644 --- a/src/packet.c +++ b/src/packet.c @@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, /* set signal name (without SIG prefix) */ uint32_t namelen = _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); - channelp->exit_signal = - LIBSSH2_ALLOC(session, namelen + 1); + + if(namelen <= UINT_MAX - 1) { + channelp->exit_signal = + LIBSSH2_ALLOC(session, namelen + 1); + } + else { + channelp->exit_signal = NULL; + } + if (!channelp->exit_signal) rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, "memory for signal name"); -- 2.17.2 From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001 From: Michael Buckley Date: Mon, 18 Mar 2019 15:07:12 -0700 Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207 Signed-off-by: Kamil Dudka --- include/libssh2.h | 12 ------------ src/libssh2_priv.h | 12 ++++++++++++ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/libssh2.h b/include/libssh2.h index e25c380..34d2842 100644 --- a/include/libssh2.h +++ b/include/libssh2.h @@ -145,18 +145,6 @@ typedef int libssh2_socket_t; #define LIBSSH2_INVALID_SOCKET -1 #endif /* WIN32 */ -#ifndef SIZE_MAX -#if _WIN64 -#define SIZE_MAX 0xFFFFFFFFFFFFFFFF -#else -#define SIZE_MAX 0xFFFFFFFF -#endif -#endif - -#ifndef UINT_MAX -#define UINT_MAX 0xFFFFFFFF -#endif - /* * Determine whether there is small or large file support on windows. */ diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h index b4296a2..bb5d1a5 100644 --- a/src/libssh2_priv.h +++ b/src/libssh2_priv.h @@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) #endif +#ifndef SIZE_MAX +#if _WIN64 +#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +#else +#define SIZE_MAX 0xFFFFFFFF +#endif +#endif + +#ifndef UINT_MAX +#define UINT_MAX 0xFFFFFFFF +#endif + /* RFC4253 section 6.1 Maximum Packet Length says: * * "All implementations MUST be able to process packets with -- 2.17.2