From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 19 Mar 2019 13:45:22 +0100 Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison ... with specially crafted message channel request Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch --- src/packet.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/packet.c b/src/packet.c index aa10633..c950b5d 100644 --- a/src/packet.c +++ b/src/packet.c @@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, uint32_t len = _libssh2_ntohu32(data + 5); unsigned char want_reply = 1; - if(len < (datalen - 10)) - want_reply = data[9 + len]; + if((len + 9) < datalen) + want_reply = data[len + 9]; _libssh2_debug(session, LIBSSH2_TRACE_CONN, @@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, channel, len, data + 9, want_reply); if (len == sizeof("exit-status") - 1 + && (sizeof("exit-status") - 1 + 9) <= datalen && !memcmp("exit-status", data + 9, sizeof("exit-status") - 1)) { @@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, channelp = _libssh2_channel_locate(session, channel); - if (channelp) { + if (channelp && (sizeof("exit-status") + 13) <= datalen) { channelp->exit_status = _libssh2_ntohu32(data + 9 + sizeof("exit-status")); _libssh2_debug(session, LIBSSH2_TRACE_CONN, @@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, } else if (len == sizeof("exit-signal") - 1 + && (sizeof("exit-signal") - 1 + 9) <= datalen && !memcmp("exit-signal", data + 9, sizeof("exit-signal") - 1)) { /* command terminated due to signal */ if(datalen >= 20) channelp = _libssh2_channel_locate(session, channel); - if (channelp) { + if (channelp && (sizeof("exit-signal") + 13) <= datalen) { /* set signal name (without SIG prefix) */ uint32_t namelen = _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); @@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, if (!channelp->exit_signal) rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, "memory for signal name"); - else { + else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { memcpy(channelp->exit_signal, - data + 13 + sizeof("exit_signal"), namelen); + data + 13 + sizeof("exit-signal"), namelen); channelp->exit_signal[namelen] = '\0'; /* TODO: save error message and language tag */ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -- 2.17.2