summaryrefslogtreecommitdiffstats
path: root/0003-libssh2-1.8.0-CVE-2019-3857.patch
blob: ea264d2d7fa6e830e116ee73a61af58518cb5cbe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 19 Mar 2019 13:29:35 +0100
Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH
 packet processing channel

... resulting in out of bounds write

Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
---
 include/libssh2.h | 12 ++++++++++++
 src/packet.c      | 11 +++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/include/libssh2.h b/include/libssh2.h
index 34d2842..e25c380 100644
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -145,6 +145,18 @@ typedef int libssh2_socket_t;
 #define LIBSSH2_INVALID_SOCKET -1
 #endif /* WIN32 */
 
+#ifndef SIZE_MAX
+#if _WIN64
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+#else
+#define SIZE_MAX 0xFFFFFFFF
+#endif
+#endif
+
+#ifndef UINT_MAX
+#define UINT_MAX 0xFFFFFFFF
+#endif
+
 /*
  * Determine whether there is small or large file support on windows.
  */
diff --git a/src/packet.c b/src/packet.c
index 5f1feb8..aa10633 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
                         /* set signal name (without SIG prefix) */
                         uint32_t namelen =
                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-                        channelp->exit_signal =
-                            LIBSSH2_ALLOC(session, namelen + 1);
+
+                        if(namelen <= UINT_MAX - 1) {
+                            channelp->exit_signal =
+                                LIBSSH2_ALLOC(session, namelen + 1);
+                        }
+                        else {
+                            channelp->exit_signal = NULL;
+                        }
+
                         if (!channelp->exit_signal)
                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
                                                 "memory for signal name");
-- 
2.17.2


From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001
From: Michael Buckley <michael@buckleyisms.com>
Date: Mon, 18 Mar 2019 15:07:12 -0700
Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h

Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 include/libssh2.h  | 12 ------------
 src/libssh2_priv.h | 12 ++++++++++++
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/libssh2.h b/include/libssh2.h
index e25c380..34d2842 100644
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -145,18 +145,6 @@ typedef int libssh2_socket_t;
 #define LIBSSH2_INVALID_SOCKET -1
 #endif /* WIN32 */
 
-#ifndef SIZE_MAX
-#if _WIN64
-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
-#else
-#define SIZE_MAX 0xFFFFFFFF
-#endif
-#endif
-
-#ifndef UINT_MAX
-#define UINT_MAX 0xFFFFFFFF
-#endif
-
 /*
  * Determine whether there is small or large file support on windows.
  */
diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
index b4296a2..bb5d1a5 100644
--- a/src/libssh2_priv.h
+++ b/src/libssh2_priv.h
@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
 
 #endif
 
+#ifndef SIZE_MAX
+#if _WIN64
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+#else
+#define SIZE_MAX 0xFFFFFFFF
+#endif
+#endif
+
+#ifndef UINT_MAX
+#define UINT_MAX 0xFFFFFFFF
+#endif
+
 /* RFC4253 section 6.1 Maximum Packet Length says:
  *
  * "All implementations MUST be able to process packets with
-- 
2.17.2