1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Description: Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3863
Forwarded: not-needed
Last-Update: 2019-03-30
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1831,8 +1831,17 @@ userauth_keyboard_interactive(LIBSSH2_SE
for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
/* string response[1] (ISO-10646 UTF-8) */
- session->userauth_kybd_packet_len +=
- 4 + session->userauth_kybd_responses[i].length;
+ if(session->userauth_kybd_responses[i].length <=
+ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
+ session->userauth_kybd_packet_len +=
+ 4 + session->userauth_kybd_responses[i].length;
+ }
+ else {
+ _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "Unable to allocate memory for keyboard-"
+ "interactive response packet");
+ goto cleanup;
+ }
}
/* A new userauth_kybd_data area is to be allocated, free the
|
