Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
libssh2_org.11463
libssh2_org-CVE-2019-3859.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libssh2_org-CVE-2019-3859.patch of Package libssh2_org.11463
Index: libssh2-1.4.3/src/channel.c =================================================================== --- libssh2-1.4.3.orig/src/channel.c +++ libssh2-1.4.3/src/channel.c @@ -240,7 +240,20 @@ _libssh2_channel_open(LIBSSH2_SESSION * goto channel_error; } + if(session->open_data_len < 1) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + goto channel_error; + } + if (session->open_data[0] == SSH_MSG_CHANNEL_OPEN_CONFIRMATION) { + + if(session->open_data_len < 17) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + goto channel_error; + } + session->open_channel->remote.id = _libssh2_ntohu32(session->open_data + 5); session->open_channel->local.window_size = @@ -500,7 +513,7 @@ channel_forward_listen(LIBSSH2_SESSION * if (rc == LIBSSH2_ERROR_EAGAIN) { _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); return NULL; - } else if (rc) { + } else if (rc || data_len < 1) { _libssh2_error(session, LIBSSH2_ERROR_PROTO, "Unknown"); session->fwdLstn_state = libssh2_NB_state_idle; return NULL; @@ -838,6 +851,11 @@ static int channel_setenv(LIBSSH2_CHANNE channel->setenv_state = libssh2_NB_state_idle; return rc; } + else if(data_len < 1) { + channel->setenv_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } if (data[0] == SSH_MSG_CHANNEL_SUCCESS) { LIBSSH2_FREE(session, data); @@ -954,7 +972,7 @@ static int channel_request_pty(LIBSSH2_C &channel->reqPTY_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->reqPTY_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_PROTO, "Failed to require the PTY package"); @@ -1180,7 +1198,7 @@ channel_x11_req(LIBSSH2_CHANNEL *channel &channel->reqX11_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->reqX11_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "waiting for x11-req response packet"); @@ -1302,7 +1320,7 @@ _libssh2_channel_process_startup(LIBSSH2 &channel->process_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->process_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Failed waiting for channel success"); Index: libssh2-1.4.3/src/kex.c =================================================================== --- libssh2-1.4.3.orig/src/kex.c +++ libssh2-1.4.3/src/kex.c @@ -228,11 +228,23 @@ static int diffie_hellman_sha1(LIBSSH2_S } /* Parse KEXDH_REPLY */ + if(exchange_state->s_packet_len < 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + goto clean_exit; + } + exchange_state->s = exchange_state->s_packet + 1; session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s); exchange_state->s += 4; + if(session->server_hostkey_len > exchange_state->s_packet_len - 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Host key length out of bounds"); + goto clean_exit; + } + if (session->server_hostkey) LIBSSH2_FREE(session, session->server_hostkey); @@ -848,10 +860,23 @@ static int diffie_hellman_sha256(LIBSSH2 } /* Parse KEXDH_REPLY */ + if(exchange_state->s_packet_len < 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + goto clean_exit; + } + exchange_state->s = exchange_state->s_packet + 1; session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s); exchange_state->s += 4; + + if(session->server_hostkey_len > exchange_state->s_packet_len - 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Host key length out of bounds"); + goto clean_exit; + } + session->server_hostkey = LIBSSH2_ALLOC(session, session->server_hostkey_len); if (!session->server_hostkey) { Index: libssh2-1.4.3/src/session.c =================================================================== --- libssh2-1.4.3.orig/src/session.c +++ libssh2-1.4.3/src/session.c @@ -757,6 +757,11 @@ session_startup(LIBSSH2_SESSION *session if (rc) return rc; + if(session->startup_data_len < 5) { + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + } + session->startup_service_length = _libssh2_ntohu32(session->startup_data + 1); Index: libssh2-1.4.3/src/userauth.c =================================================================== --- libssh2-1.4.3.orig/src/userauth.c +++ libssh2-1.4.3/src/userauth.c @@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSI LIBSSH2_FREE(session, session->userauth_list_data); session->userauth_list_data = NULL; - if (rc) { + if (rc || (session->userauth_list_data_len < 1)) { _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, "Unable to send userauth-none request"); session->userauth_list_state = libssh2_NB_state_idle; @@ -143,7 +143,20 @@ static char *userauth_list(LIBSSH2_SESSI return NULL; } - methods_len = _libssh2_ntohu32(session->userauth_list_data + 1); + if(session->userauth_list_data_len < 5) { + LIBSSH2_FREE(session, session->userauth_list_data); + session->userauth_list_data = NULL; + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + return NULL; + } + + methods_len = _libssh2_ntohu32(session->userauth_list_data + 1); + if(methods_len >= session->userauth_list_data_len - 5) { + _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Unexpected userauth list size"); + return NULL; + } /* Do note that the memory areas overlap! */ memmove(session->userauth_list_data, session->userauth_list_data + 5, @@ -284,6 +297,11 @@ userauth_password(LIBSSH2_SESSION *sessi return _libssh2_error(session, LIBSSH2_ERROR_TIMEOUT, "Would block waiting"); } + else if(session->userauth_pswd_data_len < 1) { + session->userauth_pswd_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } if (session->userauth_pswd_data[0] == SSH_MSG_USERAUTH_SUCCESS) { _libssh2_debug(session, LIBSSH2_TRACE_AUTH, @@ -311,6 +329,12 @@ userauth_password(LIBSSH2_SESSION *sessi session->userauth_pswd_state = libssh2_NB_state_sent1; } + if(session->userauth_pswd_data_len < 1) { + session->userauth_pswd_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } + if ((session->userauth_pswd_data[0] == SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) || (session->userauth_pswd_data0 == @@ -829,7 +853,7 @@ userauth_hostbased_fromfile(LIBSSH2_SESS } session->userauth_host_state = libssh2_NB_state_idle; - if (rc) { + if (rc || data_len < 1) { return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED, "Auth failed"); } @@ -1185,7 +1209,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESS if (rc == LIBSSH2_ERROR_EAGAIN) { return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block requesting userauth list"); - } else if (rc) { + } else if (rc || session->userauth_pblc_data_len < 1) { session->userauth_pblc_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED, "Waiting for publickey USERAUTH response"); @@ -1418,7 +1442,7 @@ userauth_keyboard_interactive(LIBSSH2_SE if (rc == LIBSSH2_ERROR_EAGAIN) { return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); - } else if (rc) { + } else if (rc || session->userauth_kybd_data_len < 1) { session->userauth_kybd_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_AUTHENTICATION_FAILED,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor