blob: 40c9e9bd0cc1d1f2f5893434228c000998c0a9a8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 19 Mar 2019 13:22:24 +0100
Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
interactive handling
... resulting in out of bounds write
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
I believe that:
`(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
... can be simplified as:
`(session->userauth_kybd_num_prompts > 100)`
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/userauth.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/userauth.c b/src/userauth.c
index cdfa25e..3946cf9 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
/* int num-prompts */
session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
s += 4;
+ if(session->userauth_kybd_num_prompts &&
+ session->userauth_kybd_num_prompts > 100) {
+ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+ "Too many replies for "
+ "keyboard-interactive prompts");
+ goto cleanup;
+ }
if(session->userauth_kybd_num_prompts) {
session->userauth_kybd_prompts =
--
2.17.2
|