Package: libssh2 / 1.8.0-2.1

CVE-2019-3855.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Description: Possible integer overflow in transport read allows out-of-bounds write
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3855
Forwarded: not-needed
Last-Update: 2019-03-30

--- a/src/transport.c
+++ b/src/transport.c
@@ -438,6 +438,12 @@ int _libssh2_transport_read(LIBSSH2_SESS
                 return LIBSSH2_ERROR_DECRYPT;
 
             p->padding_length = block[4];
+            if(p->packet_length < 1) {
+                return LIBSSH2_ERROR_DECRYPT;
+            }
+            else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
+                return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
+            }
 
             /* total_num is the number of bytes following the initial
                (5 bytes) packet length and padding length fields */