0001-libssh2-1.8.0-CVE-2019-3855.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 19 Mar 2019 13:16:53 +0100
Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read

... resulting in out of bounds write

Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
---
 src/transport.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/transport.c b/src/transport.c
index 8725da0..5349284 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
              * and we can extract packet and padding length from it
              */
             p->packet_length = _libssh2_ntohu32(block);
-            if (p->packet_length < 1)
+            if(p->packet_length < 1) {
                 return LIBSSH2_ERROR_DECRYPT;
+            }
+            else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
+                return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
+            }
 
             p->padding_length = block[4];
 
-- 
2.17.2