From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 19 Mar 2019 13:16:53 +0100 Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read ... resulting in out of bounds write Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch --- src/transport.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/transport.c b/src/transport.c index 8725da0..5349284 100644 --- a/src/transport.c +++ b/src/transport.c @@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) * and we can extract packet and padding length from it */ p->packet_length = _libssh2_ntohu32(block); - if (p->packet_length < 1) + if(p->packet_length < 1) { return LIBSSH2_ERROR_DECRYPT; + } + else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } p->padding_length = block[4]; -- 2.17.2