Package: libssh2 / 1.8.0-2.1

CVE-2019-3857.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Description: Possible integer overflow leading to zero-byte allocation and out-of-bounds write
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3857
Forwarded: not-needed
Last-Update: 2019-03-30

--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -145,6 +145,18 @@ typedef int libssh2_socket_t;
 #define LIBSSH2_INVALID_SOCKET -1
 #endif /* WIN32 */
 
+#ifndef SIZE_MAX
+#if _WIN64
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+#else
+#define SIZE_MAX 0xFFFFFFFF
+#endif
+#endif
+
+#ifndef UINT_MAX
+#define UINT_MAX 0xFFFFFFFF
+#endif
+
 /*
  * Determine whether there is small or large file support on windows.
  */
--- a/src/packet.c
+++ b/src/packet.c
@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * se
                         /* set signal name (without SIG prefix) */
                         uint32_t namelen =
                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-                        channelp->exit_signal =
-                            LIBSSH2_ALLOC(session, namelen + 1);
+
+                        if(namelen <= UINT_MAX - 1) {
+                            channelp->exit_signal =
+                                LIBSSH2_ALLOC(session, namelen + 1);
+                        }
+                        else {
+                            channelp->exit_signal = NULL;
+                        }
+
                         if (!channelp->exit_signal)
                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
                                                 "memory for signal name");